[master] 4842825 Fix PROXY and HTTP/1 proto dissectors to not rely on space for an extra NUL.

Poul-Henning Kamp phk at FreeBSD.org
Fri Jun 8 16:42:21 UTC 2018 

commit 4842825668bd50cd833ae4d649ca2f964ec83e5e
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date:   Fri Jun 8 16:41:15 2018 +0000

    Fix PROXY and HTTP/1 proto dissectors to not rely on space for an extra NUL.

diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c
index 9d1c072..d1ad4d2 100644
--- a/bin/varnishd/http1/cache_http1_proto.c
+++ b/bin/varnishd/http1/cache_http1_proto.c
@@ -37,9 +37,6 @@
  * and stops when we see the magic marker (double [CR]NL), and if we overshoot,
  * it keeps track of the "pipelined" data.
  *
- * Until we see the magic marker, we have to keep the rxbuf NUL terminated
- * because we use strchr(3) on it.
- *
  * We use this both for client and backend connections.
  */
 
@@ -75,10 +72,6 @@ HTTP1_Complete(struct http_conn *htc)
 	assert(htc->rxbuf_e >= htc->rxbuf_b);
 	assert(htc->rxbuf_e <= htc->ws->r);
 
-	if (htc->rxbuf_e == htc->ws->r)
-		return (HTC_S_OVERFLOW);		// No space for NUL
-	*htc->rxbuf_e = '\0';
-
 	/* Skip any leading white space */
 	for (p = htc->rxbuf_b ; vct_islws(*p); p++)
 		continue;
@@ -95,12 +88,13 @@ HTTP1_Complete(struct http_conn *htc)
 	 * is completed.  More stringent validation happens later.
 	 */
 	while (1) {
-		p = strchr(p, '\n');
+		p = memchr(p, '\n', htc->rxbuf_e - p);
 		if (p == NULL)
 			return (HTC_S_MORE);
-		p++;
-		if (*p == '\r')
-			p++;
+		if (++p == htc->rxbuf_e)
+			return (HTC_S_MORE);
+		if (*p == '\r' && ++p == htc->rxbuf_e)
+			return (HTC_S_MORE);
 		if (*p == '\n')
 			break;
 	}
diff --git a/bin/varnishd/proxy/cache_proxy_proto.c b/bin/varnishd/proxy/cache_proxy_proto.c
index 32ddd6f..a10756d 100644
--- a/bin/varnishd/proxy/cache_proxy_proto.c
+++ b/bin/varnishd/proxy/cache_proxy_proto.c
@@ -69,13 +69,14 @@ vpx_proto1(const struct worker *wrk, const struct req *req)
 	CHECK_OBJ_NOTNULL(req, REQ_MAGIC);
 	CHECK_OBJ_NOTNULL(req->sp, SESS_MAGIC);
 
-	q = strchr(req->htc->rxbuf_b, '\r');
+	q = memchr(req->htc->rxbuf_b, '\r',
+	    req->htc->rxbuf_e - req->htc->rxbuf_b);
 	if (q == NULL)
 		return (-1);
 
 	*q++ = '\0';
 	/* Nuke the CRLF */
-	if (*q != '\n')
+	if (*q != '\n' || q == req->htc->rxbuf_e)
 		return (-1);
 	*q++ = '\0';
 
@@ -515,8 +516,7 @@ vpx_complete(struct http_conn *htc)
 			return (HTC_S_JUNK);
 		if (j == 1 && i == sizeof vpx1_sig) {
 			assert (htc->rxbuf_e < htc->ws->r);
-			*htc->rxbuf_e = '\0';
-			q = strchr(p + i, '\n');
+			q = memchr(p + i, '\n', htc->rxbuf_e - (p + i));
 			if (q != NULL && (q - htc->rxbuf_b) > 107)
 				return (HTC_S_OVERFLOW);
 			if (q == NULL)

More information about the varnish-commit mailing list