[4.0] 138015a Correctly handle bogusly large chunk sizes

PÃ¥l Hermunn Johansen hermunn at varnish-software.com
Wed Aug 2 12:02:06 CEST 2017


commit 138015a3a5251da2ce56389435fe046c4b7da135
Author: Martin Blix Grydeland <martin at varnish-software.com>
Date:   Thu Jul 27 11:52:58 2017 +0200

    Correctly handle bogusly large chunk sizes
    
    This fixes a denial of service attack vector where bogusly large chunk
    sizes in requests could be used to force restarts of the Varnish
    server.
    
    This is Varnish Security Vulnerability VSV00001
    
    For more information visit: https://varnish-cache.org/security/VSV00001
    
    Fixes: #2379

diff --git a/bin/varnishd/cache/cache_http1_proto.c b/bin/varnishd/cache/cache_http1_proto.c
index 1142011..a6ff014 100644
--- a/bin/varnishd/cache/cache_http1_proto.c
+++ b/bin/varnishd/cache/cache_http1_proto.c
@@ -586,7 +586,7 @@ HTTP1_Chunked(struct http_conn *htc, intptr_t *priv, const char **error,
 		if (q == NULL || *q != '\0')
 			ERR("chunked header number syntax");
 		cl = (ssize_t)cll;
-		if((uintmax_t)cl != cll)
+		if (cl < 0 || (uintmax_t)cl != cll)
 			ERR("bogusly large chunk size");
 
 		*priv = cl;
diff --git a/bin/varnishtest/tests/f00001.vtc b/bin/varnishtest/tests/f00001.vtc
new file mode 100644
index 0000000..32d54f7
--- /dev/null
+++ b/bin/varnishtest/tests/f00001.vtc
@@ -0,0 +1,83 @@
+varnishtest "Check that we handle bogusly large chunks correctly"
+
+# Check that the bug has been fixed
+
+server s1 {
+	rxreq
+	txresp
+
+	accept
+	rxreq
+	txresp
+} -start
+
+varnish v1 -vcl+backend {
+} -start
+
+client c1 {
+	send "POST / HTTP/1.1\r\n"
+	send "Transfer-Encoding: chunked\r\n\r\n"
+	send "FFFFFFFFFFFFFFED\r\n"
+	send "0\r\n\r\n"
+
+	rxresp
+	expect resp.status == 503
+} -run
+
+# Check that the published workaround does not cause harm
+
+varnish v1 -cliok "param.set vcc_allow_inline_c true"
+
+varnish v1 -vcl+backend {
+	sub exploit_workaround {
+		# This needs to be defined before your vcl_recv function
+		# Make sure that the runtime parameter vcc_allow_inline_c is set to true
+		# This code is only valid with version 4.0 of Varnish Cache
+		if (req.http.transfer-encoding ~ "(?i)chunked") {
+			C{
+			struct dummy_req {
+				unsigned	magic;
+				int		restarts;
+				int		esi_level;
+				int		disable_esi;
+				char		hash_ignore_busy;
+				char		hash_always_miss;
+				void		*sp;
+				void		*wrk;
+				int		req_step;
+				struct {
+					void *	a;
+					void *	b;
+				};
+				int		req_body_status;
+			};
+			((struct dummy_req *)ctx->req)->req_body_status = 6;
+			}C
+
+			return (synth(503, "Bad request"));
+		}
+	}
+
+	sub vcl_recv {
+		# Call this early in your vcl_recv function
+		call exploit_workaround;
+	}
+}
+
+client c1 {
+	send "POST / HTTP/1.1\r\n"
+	send "Transfer-Encoding: chunked\r\n\r\n"
+	send "FFFFFFFFFFFFFFED\r\n"
+	send "0\r\n\r\n"
+
+	rxresp
+	expect resp.status == 400
+} -run
+
+# Make sure that varnish is still running
+
+client c1 {
+	txreq
+	rxresp
+	expect resp.status == 200
+} -run
diff --git a/doc/changes.rst b/doc/changes.rst
index f663c45..50d9fc7 100644
--- a/doc/changes.rst
+++ b/doc/changes.rst
@@ -1,3 +1,14 @@
+========================================
+Changes from 4.0.4 to 4.0.5 (unreleased)
+========================================
+
+Bugs fixed
+----------
+
+* 2379_ - Correctly handle bogusly large chunk sizes (VSV00001)
+
+.. _2379: https://github.com/varnishcache/varnish-cache/issues/2379
+
 ==============================================
 Changes from 4.0.4-beta1 to 4.0.4 (2016-11-30)
 ==============================================



More information about the varnish-commit mailing list