[6.0] 5a4a8ba5f Make sure resp.reason is on workspace before using it in vcl_synth

Reza Naghibi reza at naghibi.com
Tue Apr 20 18:13:05 UTC 2021


commit 5a4a8ba5fa137985cddf5dfca25f935ac356034a
Author: Reza Naghibi <reza at naghibi.com>
Date:   Mon Mar 8 11:27:16 2021 -0500

    Make sure resp.reason is on workspace before using it in vcl_synth
    
    We can incorrectly reference resp.reason from other sources when
    jumping into vcl_synth. This also covers passing in a reason in
    vcl_backend_error.

diff --git a/bin/varnishd/cache/cache_vrt.c b/bin/varnishd/cache/cache_vrt.c
index 20d855478..27c80fb5d 100644
--- a/bin/varnishd/cache/cache_vrt.c
+++ b/bin/varnishd/cache/cache_vrt.c
@@ -76,6 +76,14 @@ VRT_synth(VRT_CTX, VCL_INT code, VCL_STRING reason)
 		return;
 	}
 
+	if (reason && !WS_Inside(ctx->ws, reason, NULL)) {
+		reason = WS_Copy(ctx->ws, reason, -1);
+		if (!reason) {
+			VRT_fail(ctx, "Workspace overflow");
+			return;
+		}
+	}
+
 	if (ctx->req == NULL) {
 		CHECK_OBJ_NOTNULL(ctx->bo, BUSYOBJ_MAGIC);
 		ctx->bo->err_code = (uint16_t)code;
diff --git a/bin/varnishtest/tests/r03546.vtc b/bin/varnishtest/tests/r03546.vtc
new file mode 100644
index 000000000..20cf8a85b
--- /dev/null
+++ b/bin/varnishtest/tests/r03546.vtc
@@ -0,0 +1,21 @@
+varnishtest "Synth resp.reason race"
+
+varnish v1 -vcl {
+	backend default none;
+
+	sub vcl_backend_error {
+		set beresp.status = 500;
+		set beresp.reason = "VCL";
+	}
+
+	sub vcl_deliver {
+		return (synth(resp.status, resp.reason));
+	}
+} -start
+
+client c1 {
+	txreq
+	rxresp
+	expect resp.status == 500
+	expect resp.reason == "VCL"
+} -run


More information about the varnish-commit mailing list