[6.0] ce025dca6 Handle badly formatted proxy TLVs
Martin Blix Grydeland
martin at varnish-software.com
Tue Feb 4 10:02:08 UTC 2020
commit ce025dca6d1861a237de343c67c8abbee01d70a3
Author: Martin Blix Grydeland <martin at varnish-software.com>
Date: Thu Dec 12 14:53:48 2019 +0100
Handle badly formatted proxy TLVs
Proxy TLVs claiming to have PP2_TYPE_SSL sub-TLVs without complete payload
would cause a Varnish assert. This patch fixes the parsing of the TLVs.
diff --git a/bin/varnishd/proxy/cache_proxy_proto.c b/bin/varnishd/proxy/cache_proxy_proto.c
index 0c7be9bb3..64a3a2b08 100644
--- a/bin/varnishd/proxy/cache_proxy_proto.c
+++ b/bin/varnishd/proxy/cache_proxy_proto.c
@@ -276,8 +276,9 @@ vpx_tlv_itern(struct vpx_tlv_iter *vpi)
return (1);
}
-#define VPX_TLV_FOREACH(ptr, len, itv) \
- for(vpx_tlv_iter0(itv, ptr, len); vpx_tlv_itern(itv);)
+#define VPX_TLV_FOREACH(ptr, len, itv) \
+ for (vpx_tlv_iter0(itv, ptr, len); \
+ (vpi->e == NULL) && vpx_tlv_itern(itv);)
int
VPX_tlv(const struct req *req, int typ, void **dst, int *len)
@@ -453,6 +454,10 @@ vpx_proto2(const struct worker *wrk, struct req *req)
VPX_TLV_FOREACH(d, l, vpi) {
if (vpi->t == PP2_TYPE_SSL) {
+ if (vpi->l < 5) {
+ vpi->e = "Length Error";
+ break;
+ }
VPX_TLV_FOREACH((char*)vpi->p + 5, vpi->l - 5, vpi2) {
}
vpi->e = vpi2->e;
diff --git a/bin/varnishtest/tests/f00005.vtc b/bin/varnishtest/tests/f00005.vtc
index 866d941dd..b1b097fce 100644
--- a/bin/varnishtest/tests/f00005.vtc
+++ b/bin/varnishtest/tests/f00005.vtc
@@ -35,6 +35,18 @@ bb cc dd ee ff 11 22 33
expect_close
} -run
+# Badly formatted TLV proxy payload
+client c1 {
+ sendhex {
+0d 0a 0d 0a 00 0d 0a 51
+55 49 54 0a
+21 11 00 13 00 ff 20 ff 10 ff 03 21 20 30 00 20
+20 00 00 19 00 02 29 20 00 00 00 41 20 9e 15 15
+d6 00 00 08 00 00 00 00 00 07 7a 20 b1 3f 43 20
+ }
+ expect_close
+} -run
+
# Reduced size proxy payload to verify Varnish is still running
client c1 {
sendhex {
More information about the varnish-commit
mailing list