[master] f8b9667f2 Handle out of session workspace in http1_new_session()

Martin Blix Grydeland martin at varnish-software.com
Tue Feb 4 10:01:07 UTC 2020 

commit f8b9667f23c9fd90c5e2260409f82f5f92f4b007
Author: Martin Blix Grydeland <martin at varnish-software.com>
Date:   Thu Dec 12 13:12:48 2019 +0100

    Handle out of session workspace in http1_new_session()
    
    If proxy protocol is in use, it is possible to fill the session workspace
    exactly before entering http1_new_session(), which will cause it to assert
    when calling SES_Reserve_proto_priv().
    
    with this patch we will close the session gracefully.

diff --git a/bin/varnishd/http1/cache_http1_fsm.c b/bin/varnishd/http1/cache_http1_fsm.c
index 4668c5f8c..81ab2e3f6 100644
--- a/bin/varnishd/http1/cache_http1_fsm.c
+++ b/bin/varnishd/http1/cache_http1_fsm.c
@@ -114,7 +114,15 @@ http1_new_session(struct worker *wrk, void *arg)
 	CHECK_OBJ_NOTNULL(sp, SESS_MAGIC);
 
 	HTC_RxInit(req->htc, req->ws);
-	XXXAN(SES_Reserve_proto_priv(sp, &u));
+	if (!SES_Reserve_proto_priv(sp, &u)) {
+		/* Out of session workspace. Free the req, close the sess,
+		 * and do not set a new task func, which will exit the
+		 * worker thread. */
+		VSL(SLT_Error, req->sp->vxid, "insufficient workspace");
+		Req_Release(req);
+		SES_Delete(sp, SC_RX_JUNK, NAN);
+		return;
+	}
 	http1_setstate(sp, H1NEWREQ);
 	wrk->task.func = http1_req;
 	wrk->task.priv = req;
diff --git a/bin/varnishtest/tests/f00005.vtc b/bin/varnishtest/tests/f00005.vtc
new file mode 100644
index 000000000..866d941dd
--- /dev/null
+++ b/bin/varnishtest/tests/f00005.vtc
@@ -0,0 +1,64 @@
+varnishtest "proxy ws panic"
+
+server s1 {
+	rxreq
+	txresp
+} -start
+
+varnish v1 -proto "PROXY" -vcl+backend {}-start
+
+# Too large proxy payload using TLV
+client c1 {
+	sendhex {
+0d 0a 0d 0a 00 0d 0a 51
+55 49 54 0a 21 21 00 93
+aa bb cc dd ee ff 11 22
+33 44 55 66 77 88 99 aa
+bb cc dd ee ff 11 22 33
+44 55 66 77 88 99 aa bb
+88 da 0d 73 02 00 3c 61
+61 61 61 61 61 61 61 61
+61 61 61 61 61 61 61 61
+61 61 61 61 61 61 61 61
+61 61 61 61 61 61 61 61
+61 61 61 61 61 61 61 61
+61 61 61 61 61 61 61 61
+61 61 61 61 61 61 61 61
+61 61 61 20 00 2d 01 01
+00 00 00 21 00 07 54 4c
+53 76 31 2e 32 23 00 1b
+45 43 44 48 45 2d 52 53
+41 2d 41 45 53 32 35 36
+2d 47 43 4d 2d 53 48 41
+33 38 34
+	}
+	expect_close
+} -run
+
+# Reduced size proxy payload to verify Varnish is still running
+client c1 {
+	sendhex {
+0d 0a 0d 0a 00 0d 0a 51
+55 49 54 0a 21 21 00 8b
+aa bb cc dd ee ff 11 22
+33 44 55 66 77 88 99 aa
+bb cc dd ee ff 11 22 33
+44 55 66 77 88 99 aa bb
+88 da 0d 73 02 00 34 61
+61 61 61 61 61 61 61 61
+61 61 61 61 61 61 61 61
+61 61 61 61 61 61 61 61
+61 61 61 61 61 61 61 61
+61 61 61 61 61 61 61 61
+61 61 61 61 61 61 61 61
+61 61 61 20 00 2d 01 01
+00 00 00 21 00 07 54 4c
+53 76 31 2e 32 23 00 1b
+45 43 44 48 45 2d 52 53
+41 2d 41 45 53 32 35 36
+2d 47 43 4d 2d 53 48 41
+33 38 34
+	}
+	txreq
+	rxresp
+} -run

More information about the varnish-commit mailing list