[5.1] c8a4411 Correctly handle bogusly large chunk sizes

PÃ¥l Hermunn Johansen hermunn at varnish-software.com
Wed Aug 2 12:03:06 CEST 2017


commit c8a4411527a2dbce0fa9f1998dc0cd2d8314d126
Author: Martin Blix Grydeland <martin at varnish-software.com>
Date:   Thu Jul 27 11:52:58 2017 +0200

    Correctly handle bogusly large chunk sizes
    
    This fixes a denial of service attack vector where bogusly large chunk
    sizes in requests could be used to force restarts of the Varnish
    server.
    
    This is Varnish Security Vulnerability VSV00001
    
    For more information visit: https://varnish-cache.org/security/VSV00001
    
    Fixes: #2379

diff --git a/bin/varnishd/http1/cache_http1_vfp.c b/bin/varnishd/http1/cache_http1_vfp.c
index 715a110..e57262c 100644
--- a/bin/varnishd/http1/cache_http1_vfp.c
+++ b/bin/varnishd/http1/cache_http1_vfp.c
@@ -152,7 +152,7 @@ v1f_pull_chunked(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr,
 		if (q == NULL || *q != '\0')
 			return (VFP_Error(vc, "chunked header number syntax"));
 		cl = (ssize_t)cll;
-		if ((uintmax_t)cl != cll)
+		if (cl < 0 || (uintmax_t)cl != cll)
 			return (VFP_Error(vc, "bogusly large chunk size"));
 
 		vfe->priv2 = cl;
diff --git a/bin/varnishtest/tests/f00001.vtc b/bin/varnishtest/tests/f00001.vtc
new file mode 100644
index 0000000..dc9fd9b
--- /dev/null
+++ b/bin/varnishtest/tests/f00001.vtc
@@ -0,0 +1,40 @@
+varnishtest "Check that we handle bogusly large chunks correctly"
+
+# Check that the bug has been fixed
+
+server s1 {
+	rxreq
+	txresp
+} -start
+
+varnish v1 -vcl+backend {
+} -start
+
+client c1 {
+	send "POST / HTTP/1.1\r\n"
+	send "Transfer-Encoding: chunked\r\n\r\n"
+	send "FFFFFFFFFFFFFFED\r\n"
+	send "0\r\n\r\n"
+
+	rxresp
+	expect resp.status == 503
+} -run
+
+# Check that the published workaround does not cause harm
+
+varnish v1 -vcl+backend {
+	sub vcl_recv {
+		if (req.http.transfer-encoding ~ "(?i)chunked") {
+			return (fail);
+		}
+	}
+}
+
+client c1 {
+	send "POST / HTTP/1.1\r\n"
+	send "Transfer-Encoding: chunked\r\n\r\n"
+	send "FFFFFFFFFFFFFFED\r\n"
+
+	rxresp
+	expect resp.status == 503
+} -run
diff --git a/doc/changes.rst b/doc/changes.rst
index 41d83d0..42637d7 100644
--- a/doc/changes.rst
+++ b/doc/changes.rst
@@ -1,4 +1,15 @@
 ================================
+Varnish Cache 5.1.3 (unreleased)
+================================
+
+Bugs fixed
+----------
+
+* 2379_ - Correctly handle bogusly large chunk sizes (VSV00001)
+
+.. _2379: https://github.com/varnishcache/varnish-cache/issues/2379
+
+================================
 Varnish Cache 5.1.2 (2017-04-07)
 ================================
 



More information about the varnish-commit mailing list