[6.2] 72df38fa8 Fix http1_splitline parsing of 2 field HTTP proto lines using NLNL

Martin Blix Grydeland martin at varnish-software.com
Tue Sep 3 10:06:05 UTC 2019


commit 72df38fa8bfc0f5ca4a75d3e32657e8e590d85ab
Author: Martin Blix Grydeland <martin at varnish-software.com>
Date:   Thu Aug 15 10:56:58 2019 +0200

    Fix http1_splitline parsing of 2 field HTTP proto lines using NLNL
    
    When parsing a request like this, "GET /\n\n", the first NL would be
    overwritten by nul guard inserted after the 2nd field, and the second NL
    would be overwritten by the nul guard after the missing 3rd field. This
    would cause http1_dissect_hdrs to attempt to decode the body as headers.

diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c
index c64a56853..0531d7462 100644
--- a/bin/varnishd/http1/cache_http1_proto.c
+++ b/bin/varnishd/http1/cache_http1_proto.c
@@ -218,7 +218,7 @@ static uint16_t
 http1_splitline(struct http *hp, struct http_conn *htc, const int *hf,
     unsigned maxhdr)
 {
-	char *p;
+	char *p, *q;
 	int i;
 
 	assert(hf == HTTP1_Req || hf == HTTP1_Resp);
@@ -259,14 +259,19 @@ http1_splitline(struct http *hp, struct http_conn *htc, const int *hf,
 	hp->hd[hf[1]].e = p;
 	if (!Tlen(hp->hd[hf[1]]))
 		return (400);
-	*p++ = '\0';
 
 	/* Skip SP */
+	q = p;
 	for (; vct_issp(*p); p++) {
 		if (vct_isctl(*p))
 			return (400);
 	}
 	hp->hd[hf[2]].b = p;
+	if (q < p)
+		*q = '\0';	/* Nul guard for the 2nd field. If q == p
+				 * (the third optional field is not
+				 * present), the last nul guard will
+				 * cover this field. */
 
 	/* Third field is optional and cannot contain CTL except TAB */
 	for (; p < htc->rxbuf_e && !vct_iscrlf(p, htc->rxbuf_e); p++) {


More information about the varnish-commit mailing list