[master] 176f8a0 Avoid buffer read overflow on vcl_error and -sfile
Martin Blix Grydeland
martin at varnish-software.com
Tue Sep 19 09:00:08 UTC 2017
commit 176f8a075a963ffbfa56f1c460c15f6a1a6af5a7
Author: Martin Blix Grydeland <martin at varnish-software.com>
Date: Mon Sep 18 16:04:53 2017 +0200
Avoid buffer read overflow on vcl_error and -sfile
The file stevedore may return a buffer larger than asked for when
requesting storage. Due to lack of check for this condition, the code
to copy the synthetic error memory buffer from vcl_error would overrun
the buffer.
Patch by @shamger
Fixes: #2429
diff --git a/bin/varnishd/cache/cache_fetch.c b/bin/varnishd/cache/cache_fetch.c
index 20b3596..8839642 100644
--- a/bin/varnishd/cache/cache_fetch.c
+++ b/bin/varnishd/cache/cache_fetch.c
@@ -899,6 +899,8 @@ vbf_stp_error(struct worker *wrk, struct busyobj *bo)
l = ll;
if (VFP_GetStorage(bo->vfc, &l, &ptr) != VFP_OK)
break;
+ if (l > ll)
+ l = ll;
memcpy(ptr, VSB_data(synth_body) + o, l);
VFP_Extend(bo->vfc, l);
ll -= l;
More information about the varnish-commit
mailing list