[master] e0cb8d325 vary: Prevent a buffer overflow in VRY_Validate()
Dridi Boukelmoune
dridi.boukelmoune at gmail.com
Mon Aug 31 18:41:11 UTC 2020
commit e0cb8d325aeca870f3adb94c96685728ae684ebf
Author: Dridi Boukelmoune <dridi.boukelmoune at gmail.com>
Date: Thu May 7 19:00:10 2020 +0200
vary: Prevent a buffer overflow in VRY_Validate()
We might read past the end of the workspace when no space was available
at reservation time. This would normally go unnotticed since we used to
get zeros after the end of workspace marker, and no assertion would
trigger. It became visible with the previous commit for pointer-aligned
workspace sizes like the current page-aligned default values.
Initially caught by wssan from #3320.
Fixes #3319
diff --git a/bin/varnishd/cache/cache_vary.c b/bin/varnishd/cache/cache_vary.c
index 44610e682..1e77730b3 100644
--- a/bin/varnishd/cache/cache_vary.c
+++ b/bin/varnishd/cache/cache_vary.c
@@ -260,6 +260,15 @@ VRY_Finish(struct req *req, enum vry_finish_flag flg)
{
uint8_t *p = NULL;
+ if (req->vary_b + 2 >= req->vary_e) {
+ AZ(req->vary_l);
+ req->vary_b = NULL;
+ req->vary_e = NULL;
+ WS_Release(req->ws, 0);
+ WS_MarkOverflow(req->ws);
+ return;
+ }
+
(void)VRY_Validate(req->vary_b);
if (flg == KEEP && req->vary_l != NULL) {
p = malloc(req->vary_l - req->vary_b);
diff --git a/bin/varnishtest/tests/r03319.vtc b/bin/varnishtest/tests/r03319.vtc
new file mode 100644
index 000000000..4f457fb89
--- /dev/null
+++ b/bin/varnishtest/tests/r03319.vtc
@@ -0,0 +1,21 @@
+varnishtest "Vary handling out of workspace"
+
+varnish v1 -vcl {
+ import vtc;
+
+ backend be none;
+
+ sub vcl_recv {
+ vtc.workspace_alloc(client, vtc.workspace_free(client));
+ }
+
+ sub vcl_backend_fetch {
+ return (error(200));
+ }
+} -start
+
+client c1 {
+ txreq
+ rxresp
+ expect resp.status == 500
+} -run
More information about the varnish-commit
mailing list