[4.1] 49ad1b211 Fix a panic in VRB_Cache

Wed Jan 2 12:54:07 UTC 2019

commit 49ad1b2119eb984280b26551d702cf122fd9eb24
Author: Pål Hermunn Johansen <hermunn at varnish-software.com>
Date:   Wed Jan 2 13:44:23 2019 +0100

    Fix a panic in VRB_Cache
    
    This adds error handling for STV_NewObject(.., TRANSIENT) in VRB_Cache,
    which would fail when transient is full.
    
    This is a back port of 6045eaaa6a2.
    
    Fixes: #2831
    
    Conflicts:
            bin/varnishd/cache/cache_req_body.c
            bin/varnishtest/tests/r02831.vtc

diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c
index ccd73081d..90b27ea4f 100644
--- a/bin/varnishd/cache/cache_req_body.c
+++ b/bin/varnishd/cache/cache_req_body.c
@@ -239,7 +239,12 @@ VRB_Cache(struct req *req, ssize_t maxsize)
 
 	req->body_oc = HSH_Private(req->wrk);
 	AN(req->body_oc);
-	XXXAN(STV_NewObject(req->body_oc, req->wrk, TRANSIENT_STORAGE, 8));
+	if (STV_NewObject(req->body_oc, req->wrk, TRANSIENT_STORAGE, 8) == 0) {
+		(void)VFP_Error(vfc, "Object allocation failed -"
+			" ran out of space in Transient");
+		req->req_body_status = REQ_BODY_FAIL;
+		return (-1);
+	}
 
 	vfc->http = req->http;
 	vfc->oc = req->body_oc;
diff --git a/bin/varnishtest/tests/r02831.vtc b/bin/varnishtest/tests/r02831.vtc
new file mode 100644
index 000000000..29282b5d5
--- /dev/null
+++ b/bin/varnishtest/tests/r02831.vtc
@@ -0,0 +1,56 @@
+varnishtest "#2831: Out of storage in cache_req_body"
+
+server s1 {
+	rxreq
+	expect req.url == "/obj1"
+	txresp -bodylen 1048400
+} -start
+
+varnish v1 \
+	-arg "-p nuke_limit=0" \
+	-arg "-sTransient=malloc,1m" \
+	-vcl+backend {
+	import ${vmod_std};
+	sub vcl_recv {
+		if (req.method == "POST") {
+			std.cache_req_body(1KB);
+		}
+	}
+	sub vcl_backend_response {
+		set beresp.do_stream = false;
+		set beresp.storage_hint = "Transient";
+		# Unset Date header to not change the object sizes
+		unset beresp.http.Date;
+	}
+} -start
+
+varnish v1 -cliok "param.set debug +syncvsl"
+
+delay .1
+
+client c1 {
+	# Fill transient
+	txreq -url "/obj1"
+	rxresp
+	expect resp.status == 200
+} -run
+
+delay .1
+
+varnish v1 -expect SMA.Transient.g_bytes > 1048400
+varnish v1 -expect SMA.Transient.g_space < 100
+
+client c1 {
+	# No space for caching this req.body
+	txreq -req "POST" -body "foobar"
+	delay 1
+} -run
+
+varnish v1 -expect SMA.Transient.c_fail == 1
+
+client c1 {
+	# Check that Varnish is still alive
+	txreq -url "/obj1"
+	rxresp
+	expect resp.status == 200
+} -run
diff --git a/doc/changes.rst b/doc/changes.rst
index 5a4e7e2c1..b712f9bfc 100644
--- a/doc/changes.rst
+++ b/doc/changes.rst
@@ -1,3 +1,13 @@
+=================================
+Varnish Cache 4.1.11 (unreleased)
+=================================
+
+Changes since 4.1.10:
+
+* New counter added: cache_hit_grace (2831_)
+
+.. _2831: https://github.com/varnishcache/varnish-cache/issues/2831
+
 =================================
 Varnish Cache 4.1.10 (2018-04-25)
 =================================
