[master] 3a5af9721 scrutinize PROXY header length

Mon Dec 28 18:03:06 UTC 2020

commit 3a5af972189b12bb7e16f529e651fb34834c4ceb
Author: Nils Goroll <nils.goroll at uplex.de>
Date:   Mon Dec 28 18:46:29 2020 +0100

    scrutinize PROXY header length
    
    ref. coverity CID 1430125

diff --git a/bin/varnishd/proxy/cache_proxy_proto.c b/bin/varnishd/proxy/cache_proxy_proto.c
index 870c84130..b468c09d8 100644
--- a/bin/varnishd/proxy/cache_proxy_proto.c
+++ b/bin/varnishd/proxy/cache_proxy_proto.c
@@ -335,7 +335,8 @@ vpx_proto2(const struct worker *wrk, struct req *req)
 	char pb[VTCP_PORTBUFSIZE];
 	struct vpx_tlv_iter vpi[1], vpi2[1];
 	struct vpx_tlv *tlv;
-	unsigned l, hdr_len, flen, alen;
+	uint16_t l;
+	unsigned hdr_len, flen, alen;
 	unsigned const plen = 2, aoff = 16;
 
 	CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
@@ -344,6 +345,7 @@ vpx_proto2(const struct worker *wrk, struct req *req)
 
 	assert(req->htc->rxbuf_e - req->htc->rxbuf_b >= 16L);
 	l = vbe16dec(req->htc->rxbuf_b + 14);
+	assert(l <= VPX_MAX_LEN); // vpx_complete()
 	hdr_len = l + 16L;
 	assert(req->htc->rxbuf_e >= req->htc->rxbuf_b + hdr_len);
 	HTC_RxPipeline(req->htc, req->htc->rxbuf_b + hdr_len);
@@ -479,7 +481,7 @@ static enum htc_status_e v_matchproto_(htc_complete_f)
 vpx_complete(struct http_conn *htc)
 {
 	size_t z, l;
-	unsigned j;
+	uint16_t j;
 	char *p, *q;
 
 	CHECK_OBJ_NOTNULL(htc, HTTP_CONN_MAGIC);
@@ -508,6 +510,8 @@ vpx_complete(struct http_conn *htc)
 			if (l < 16)
 				return (HTC_S_MORE);
 			j = vbe16dec(p + 14);
+			if (j > VPX_MAX_LEN)
+				return (HTC_S_OVERFLOW);
 			if (l < 16L + j)
 				return (HTC_S_MORE);
 			return (HTC_S_COMPLETE);
diff --git a/bin/varnishtest/tests/o00001.vtc b/bin/varnishtest/tests/o00001.vtc
index bc07ac3e4..5a6b35913 100644
--- a/bin/varnishtest/tests/o00001.vtc
+++ b/bin/varnishtest/tests/o00001.vtc
@@ -202,11 +202,8 @@ delay .1
 client c2 {
 	# max length with garbage
 	sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a"
-	# annouce 1025 bytes
+	# annouce 1025 bytes > 1024 implicit limit
 	sendhex "20 00 04 01"
-	# 1024 bytes implicit proxy hdr limit
-	send_n 64 "0123456789abcdef"
-	timeout 8
 	expect_close
 } -run
 
