[master] 618e9f92b Handle badly formatted proxy TLVs

[Martin Blix Grydeland]

commit 618e9f92b13b25d5c5549a0cfd9284c063d1c1d1
Author: Martin Blix Grydeland <martin at varnish-software.com>
Date:   Thu Dec 12 14:53:48 2019 +0100

    Handle badly formatted proxy TLVs
    
    Proxy TLVs claiming to have PP2_TYPE_SSL sub-TLVs without complete payload
    would cause a Varnish assert. This patch fixes the parsing of the TLVs.

diff --git a/bin/varnishd/proxy/cache_proxy_proto.c b/bin/varnishd/proxy/cache_proxy_proto.c
index 7efe6cc2f..3cc0f48a0 100644
--- a/bin/varnishd/proxy/cache_proxy_proto.c
+++ b/bin/varnishd/proxy/cache_proxy_proto.c
@@ -276,8 +276,9 @@ vpx_tlv_itern(struct vpx_tlv_iter *vpi)
 	return (1);
 }
 
-#define VPX_TLV_FOREACH(ptr, len, itv) \
-	for(vpx_tlv_iter0(itv, ptr, len); vpx_tlv_itern(itv);)
+#define VPX_TLV_FOREACH(ptr, len, itv)				\
+	for (vpx_tlv_iter0(itv, ptr, len);			\
+		(vpi->e == NULL) && vpx_tlv_itern(itv);)
 
 int
 VPX_tlv(const struct req *req, int typ, void **dst, int *len)
@@ -453,6 +454,10 @@ vpx_proto2(const struct worker *wrk, struct req *req)
 
 	VPX_TLV_FOREACH(d, l, vpi) {
 		if (vpi->t == PP2_TYPE_SSL) {
+			if (vpi->l < 5) {
+				vpi->e = "Length Error";
+				break;
+			}
 			VPX_TLV_FOREACH((char*)vpi->p + 5, vpi->l - 5, vpi2) {
 			}
 			vpi->e = vpi2->e;
diff --git a/bin/varnishtest/tests/f00005.vtc b/bin/varnishtest/tests/f00005.vtc
index 866d941dd..b1b097fce 100644
--- a/bin/varnishtest/tests/f00005.vtc
+++ b/bin/varnishtest/tests/f00005.vtc
@@ -35,6 +35,18 @@ bb cc dd ee ff 11 22 33
 	expect_close
 } -run
 
+# Badly formatted TLV proxy payload
+client c1 {
+	sendhex {
+0d 0a 0d 0a 00 0d 0a 51
+55 49 54 0a
+21 11 00 13 00 ff 20 ff  10 ff 03 21 20 30 00 20
+20 00 00 19 00 02 29 20  00 00 00 41 20 9e 15 15
+d6 00 00 08 00 00 00 00  00 07 7a 20 b1 3f 43 20
+	}
+	expect_close
+} -run
+
 # Reduced size proxy payload to verify Varnish is still running
 client c1 {
 	sendhex {