[4.0] 138015a Correctly handle bogusly large chunk sizes
PÃ¥l Hermunn Johansen
hermunn at varnish-software.com
Wed Aug 2 12:02:06 CEST 2017
commit 138015a3a5251da2ce56389435fe046c4b7da135
Author: Martin Blix Grydeland <martin at varnish-software.com>
Date: Thu Jul 27 11:52:58 2017 +0200
Correctly handle bogusly large chunk sizes
This fixes a denial of service attack vector where bogusly large chunk
sizes in requests could be used to force restarts of the Varnish
server.
This is Varnish Security Vulnerability VSV00001
For more information visit: https://varnish-cache.org/security/VSV00001
Fixes: #2379
diff --git a/bin/varnishd/cache/cache_http1_proto.c b/bin/varnishd/cache/cache_http1_proto.c
index 1142011..a6ff014 100644
--- a/bin/varnishd/cache/cache_http1_proto.c
+++ b/bin/varnishd/cache/cache_http1_proto.c
@@ -586,7 +586,7 @@ HTTP1_Chunked(struct http_conn *htc, intptr_t *priv, const char **error,
if (q == NULL || *q != '\0')
ERR("chunked header number syntax");
cl = (ssize_t)cll;
- if((uintmax_t)cl != cll)
+ if (cl < 0 || (uintmax_t)cl != cll)
ERR("bogusly large chunk size");
*priv = cl;
diff --git a/bin/varnishtest/tests/f00001.vtc b/bin/varnishtest/tests/f00001.vtc
new file mode 100644
index 0000000..32d54f7
--- /dev/null
+++ b/bin/varnishtest/tests/f00001.vtc
@@ -0,0 +1,83 @@
+varnishtest "Check that we handle bogusly large chunks correctly"
+
+# Check that the bug has been fixed
+
+server s1 {
+ rxreq
+ txresp
+
+ accept
+ rxreq
+ txresp
+} -start
+
+varnish v1 -vcl+backend {
+} -start
+
+client c1 {
+ send "POST / HTTP/1.1\r\n"
+ send "Transfer-Encoding: chunked\r\n\r\n"
+ send "FFFFFFFFFFFFFFED\r\n"
+ send "0\r\n\r\n"
+
+ rxresp
+ expect resp.status == 503
+} -run
+
+# Check that the published workaround does not cause harm
+
+varnish v1 -cliok "param.set vcc_allow_inline_c true"
+
+varnish v1 -vcl+backend {
+ sub exploit_workaround {
+ # This needs to be defined before your vcl_recv function
+ # Make sure that the runtime parameter vcc_allow_inline_c is set to true
+ # This code is only valid with version 4.0 of Varnish Cache
+ if (req.http.transfer-encoding ~ "(?i)chunked") {
+ C{
+ struct dummy_req {
+ unsigned magic;
+ int restarts;
+ int esi_level;
+ int disable_esi;
+ char hash_ignore_busy;
+ char hash_always_miss;
+ void *sp;
+ void *wrk;
+ int req_step;
+ struct {
+ void * a;
+ void * b;
+ };
+ int req_body_status;
+ };
+ ((struct dummy_req *)ctx->req)->req_body_status = 6;
+ }C
+
+ return (synth(503, "Bad request"));
+ }
+ }
+
+ sub vcl_recv {
+ # Call this early in your vcl_recv function
+ call exploit_workaround;
+ }
+}
+
+client c1 {
+ send "POST / HTTP/1.1\r\n"
+ send "Transfer-Encoding: chunked\r\n\r\n"
+ send "FFFFFFFFFFFFFFED\r\n"
+ send "0\r\n\r\n"
+
+ rxresp
+ expect resp.status == 400
+} -run
+
+# Make sure that varnish is still running
+
+client c1 {
+ txreq
+ rxresp
+ expect resp.status == 200
+} -run
diff --git a/doc/changes.rst b/doc/changes.rst
index f663c45..50d9fc7 100644
--- a/doc/changes.rst
+++ b/doc/changes.rst
@@ -1,3 +1,14 @@
+========================================
+Changes from 4.0.4 to 4.0.5 (unreleased)
+========================================
+
+Bugs fixed
+----------
+
+* 2379_ - Correctly handle bogusly large chunk sizes (VSV00001)
+
+.. _2379: https://github.com/varnishcache/varnish-cache/issues/2379
+
==============================================
Changes from 4.0.4-beta1 to 4.0.4 (2016-11-30)
==============================================
More information about the varnish-commit
mailing list