[master] d235b3c90 fix an infinite loop in the gunzip VDP with junk after GZ_END

Wed Oct 30 14:21:05 UTC 2019

commit d235b3c90a631ef39fdf0a8103e44ebfb0ddbacb
Author: Nils Goroll <nils.goroll at uplex.de>
Date:   Wed Oct 30 15:12:08 2019 +0100

    fix an infinite loop in the gunzip VDP with junk after GZ_END
    
    The gunzip vdp failed to handle junk after end of gzip data. This
    basically mirrors #942 on the client side, also the fix is basically the
    same as 41f7a356e2be38f03428589710d163bd4110d9fd
    
    The impact of this bug is likely to be low, because the built-in
    beresp.filters logic will push the testgunzip VFP for gzip content
    received from backends, so, unless VCL is forced to pass backend
    responses unchecked or vmods generate body data, it can be considered
    unlikely that this issue will be hit.
    
    Fixes #3109

diff --git a/bin/varnishd/cache/cache_gzip.c b/bin/varnishd/cache/cache_gzip.c
index 46146beb3..758c990cf 100644
--- a/bin/varnishd/cache/cache_gzip.c
+++ b/bin/varnishd/cache/cache_gzip.c
@@ -364,6 +364,11 @@ vdp_gunzip_bytes(struct req *req, enum vdp_action act, void **priv,
 	VGZ_Ibuf(vg, ptr, len);
 	do {
 		vr = VGZ_Gunzip(vg, &dp, &dl);
+		if (vr == VGZ_END && !VGZ_IbufEmpty(vg)) {
+			VSLb(vg->vsl, SLT_Gzip, "G(un)zip error: %d (%s)",
+			     vr, "junk after VGZ_END");
+			return (-1);
+		}
 		vg->m_len += dl;
 		if (vr < VGZ_OK)
 			return (-1);
diff --git a/bin/varnishtest/tests/r03109.vtc b/bin/varnishtest/tests/r03109.vtc
new file mode 100644
index 000000000..f3763a742
--- /dev/null
+++ b/bin/varnishtest/tests/r03109.vtc
@@ -0,0 +1,34 @@
+varnishtest "Test garbage after gzip end reaching gunzip vdp"
+
+server s1 {
+	rxreq
+	txresp -hdr "content-encoding: gzip" -nolen
+	# (date | gzip -9f ; echo bad)  | od -t x1|
+	# sed -e 's:^[0-9a-f]* :sendhex ":' -e 's:$:":' -e '/^[0-9a-f]*"/ d'
+	sendhex "1f 8b 08 00 f5 8a b9 5d 02 03 0b 4f 4d 51 30 36"
+	sendhex "50 f0 4f 2e 51 30 34 b1 32 30 b7 32 30 54 70 76"
+	sendhex "0d 51 30 32 30 b4 e4 02 00 fa 76 79 ba 1d 00 00"
+	sendhex "00 62 61 64 0a"
+} -start
+
+varnish v1 -vcl+backend {
+	sub vcl_backend_response {
+		# no gunzip check
+		set beresp.filters = "";
+	}
+	sub vcl_deliver {
+		set resp.filters = "gunzip";
+	}
+} -start
+
+logexpect l1 -v v1 -q "vxid == 1001" {
+	expect * 1001	Gzip {^G.un.zip error: 1 .junk after VGZ_END.$}
+} -start
+
+client c1 {
+	txreq
+	rxresphdrs
+	expect_close
+} -run
+
+logexpect l1 -wait
