[PATCH 5/8] Return 503 when Vary-headers references header names more than 127 (out limit) characters long.
Martin Blix Grydeland
martin at varnish-software.com
Mon Mar 18 17:57:26 CET 2013
Fixes: #1274
Test case by: Dag Haavi Finstad
---
bin/varnishd/cache/cache_vary.c | 7 +++++++
bin/varnishtest/tests/r01274.vtc | 15 +++++++++++++++
2 files changed, 22 insertions(+)
create mode 100644 bin/varnishtest/tests/r01274.vtc
diff --git a/bin/varnishd/cache/cache_vary.c b/bin/varnishd/cache/cache_vary.c
index 34f1891..2a1cb6d 100644
--- a/bin/varnishd/cache/cache_vary.c
+++ b/bin/varnishd/cache/cache_vary.c
@@ -106,6 +106,13 @@ VRY_Create(struct req *req, const struct http *hp, struct vsb **psb)
for (q = p; *q && !vct_issp(*q) && *q != ','; q++)
continue;
+ if (q - p > INT8_MAX) {
+ VSLb(req->vsl, SLT_Error,
+ "Vary header name length exceeded");
+ error = 1;
+ break;
+ }
+
/* Build a header-matching string out of it */
VSB_clear(sbh);
VSB_printf(sbh, "%c%.*s:%c",
diff --git a/bin/varnishtest/tests/r01274.vtc b/bin/varnishtest/tests/r01274.vtc
new file mode 100644
index 0000000..fe427cc
--- /dev/null
+++ b/bin/varnishtest/tests/r01274.vtc
@@ -0,0 +1,15 @@
+varnishtest "#1274 - panic when Vary field-name is too large to fit in a signed char"
+
+server s1 {
+ rxreq
+ # Vary header more than 127 characters long
+ txresp -hdr "Vary: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+} -start
+
+varnish v1 -vcl+backend { } -start
+
+client c1 {
+ txreq
+ rxresp
+ expect resp.status == 503
+} -run
--
1.7.10.4
More information about the varnish-dev
mailing list