[4.1] 19a7318 Avoid buffer read overflow on vcl_error and -sfile

PÃ¥l Hermunn Johansen hermunn at varnish-software.com
Tue Sep 19 09:29:04 UTC 2017

commit 19a73184c6470a54f843c7c226c641a0b4ac2e8e
Author: Martin Blix Grydeland <martin at varnish-software.com>
Date:   Mon Sep 18 16:04:53 2017 +0200

    Avoid buffer read overflow on vcl_error and -sfile
    The file stevedore may return a buffer larger than asked for when
    requesting storage. Due to lack of check for this condition, the code
    to copy the synthetic error memory buffer from vcl_error would overrun
    the buffer.
    Patch by @shamger
    Fixes: #2429

diff --git a/bin/varnishd/cache/cache_fetch.c b/bin/varnishd/cache/cache_fetch.c
index d36377c..70f953f 100644
--- a/bin/varnishd/cache/cache_fetch.c
+++ b/bin/varnishd/cache/cache_fetch.c
@@ -873,6 +873,8 @@ vbf_stp_error(struct worker *wrk, struct busyobj *bo)
 		l = ll;
 		if (VFP_GetStorage(bo->vfc, &l, &ptr) != VFP_OK)
+		if (l > ll)
+			l = ll;
 		memcpy(ptr, VSB_data(synth_body) + o, l);
 		VBO_extend(bo, l);
 		ll -= l;

More information about the varnish-commit mailing list