[master] 3a6c4d5 Limit length of header names to not overflow length byte

Poul-Henning Kamp phk at FreeBSD.org
Tue Nov 29 13:26:05 CET 2016 

commit 3a6c4d5f3199c93b6d400ebd1af782a78d0ea921
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date:   Tue Nov 29 10:39:25 2016 +0000

    Limit length of header names to not overflow length byte

diff --git a/bin/varnishtest/tests/v00021.vtc b/bin/varnishtest/tests/v00021.vtc
index 664a836..04a8ddc 100644
--- a/bin/varnishtest/tests/v00021.vtc
+++ b/bin/varnishtest/tests/v00021.vtc
@@ -1,4 +1,4 @@
-varnishtest "VCL compiler coverage test: vcc_xref.c"
+varnishtest "VCL compiler coverage test: vcc_xref.c vcc_var.c vcc_symb.c"
 
 varnish v1 -errvcl {Variable 'obj.ttl' is read only.} {
 	backend b { .host = "127.0.0.1"; }
@@ -72,3 +72,21 @@ varnish v1 -errvcl {Invalid return "deliver"} {
 		return (deliver);
 	}
 }
+
+varnish v1 -errvcl {HTTP header (buckinghambuckingham..) is too long.} {
+
+	backend foo { .host = "${bad_ip}"; .port = "9080"; }
+
+	sub vcl_deliver {
+		set resp.http.buckinghambuckinghambuckinghambuckinghambuckinghambuckinghambuckinghambuckinghambuckinghambuckinghambuckinghambuckinghambucking = "foobar";
+	}
+} 
+
+varnish v1 -vcl {
+
+	backend foo { .host = "${bad_ip}"; .port = "9080"; }
+
+	sub vcl_deliver {
+		set resp.http.buckinghambuckinghambuckinghambuckinghambuckinghambuckinghambuckinghambuckinghambuckinghambuckinghambuckinghambuckinghambuckin = "foobar";
+	}
+} 
diff --git a/lib/libvcc/vcc_var.c b/lib/libvcc/vcc_var.c
index eac452d..00fc022 100644
--- a/lib/libvcc/vcc_var.c
+++ b/lib/libvcc/vcc_var.c
@@ -51,6 +51,13 @@ vcc_Var_Wildcard(struct vcc *tl, struct symbol *parent,
 	vh = parent->wildcard_priv;
 	assert(vh->fmt == HEADER);
 
+	if (b + 127 <= e) {
+		VSB_printf(tl->sb, "HTTP header (%.20s..) is too long.\n", b);
+		VSB_cat(tl->sb, "\nAt: ");
+		vcc_ErrWhere(tl, tl->t);
+		return;
+	}
+
 	v = TlAlloc(tl, sizeof *v);
 	AN(v);
 	v->r_methods = vh->r_methods;
@@ -100,6 +107,8 @@ vcc_FindVar(struct vcc *tl, const struct token *t, int wr_access,
 	const struct symbol *sym;
 
 	sym = VCC_SymbolTok(tl, NULL, t, SYM_VAR, 0);
+	if (tl->err)
+		return (NULL);
 	if (sym != NULL) {
 		if (wr_access && sym->w_methods == 0) {
 			VSB_printf(tl->sb, "Variable ");

More information about the varnish-commit mailing list