[master] 3beb5c8b9 Fix missed adjustments to vsl buffer space checks

Nils Goroll nils.goroll at uplex.de
Mon Oct 10 16:30:12 UTC 2022 

commit 3beb5c8b90744319064b09e6c372908e5f49217c
Author: Nils Goroll <nils.goroll at uplex.de>
Date:   Mon Oct 10 18:21:39 2022 +0200

    Fix missed adjustments to vsl buffer space checks
    
    Refs 8df30240174b190db2601f4d64c28ee313eae486
    
    Fixes #3856

diff --git a/bin/varnishd/cache/cache_shmlog.c b/bin/varnishd/cache/cache_shmlog.c
index 8c2ca46c0..eccdf69e1 100644
--- a/bin/varnishd/cache/cache_shmlog.c
+++ b/bin/varnishd/cache/cache_shmlog.c
@@ -382,18 +382,18 @@ VSLbs(struct vsl_log *vsl, enum VSL_tag_e tag, const struct strands *s)
 	/* including NUL */
 	l = vmin_t(unsigned, strands_len(s) + 1, mlen);
 
-	assert(vsl->wlp < vsl->wle);
+	assert(vsl->wlp <= vsl->wle);
 
 	/* Flush if necessary */
-	if (VSL_END(vsl->wlp, l) >= vsl->wle)
+	if (VSL_END(vsl->wlp, l) > vsl->wle)
 		VSL_Flush(vsl, 1);
-	assert(VSL_END(vsl->wlp, l) < vsl->wle);
+	assert(VSL_END(vsl->wlp, l) <= vsl->wle);
 
 	mlen = strands_cat(VSL_DATA(vsl->wlp), l, s);
 	assert(l == mlen);
 
 	vsl->wlp = vsl_hdr(tag, vsl->wlp, l, vsl->wid);
-	assert(vsl->wlp < vsl->wle);
+	assert(vsl->wlp <= vsl->wle);
 	vsl->wlr++;
 
 	if (DO_DEBUG(DBG_SYNCVSL))
diff --git a/bin/varnishtest/tests/r03856.vtc b/bin/varnishtest/tests/r03856.vtc
new file mode 100644
index 000000000..06f1c32fe
--- /dev/null
+++ b/bin/varnishtest/tests/r03856.vtc
@@ -0,0 +1,47 @@
+varnishtest "Regression test off-by-one in VSLbs"
+
+# vsl_buffer=257 bytes - 2 bytes header -> 255 bytes
+
+varnish v1 -arg "-p vsl_buffer=267" -vcl {
+	import debug;
+	backend b None;
+	sub vcl_recv {
+
+		# Assert error in VSLbs(), cache/cache_shmlog.c line 385:
+		#   Condition(vsl->wlp < vsl->wle) not true.
+
+		debug.vsl_flush();
+		set req.http.a =
+			# 255 = "a: " + 8 * 32 - 4
+			"0123456789abcdef0123456789abcdef" +
+			"0123456789abcdef0123456789abcdef" +
+			"0123456789abcdef0123456789abcdef" +
+			"0123456789abcdef0123456789abcdef" +
+			"0123456789abcdef0123456789abcdef" +
+			"0123456789abcdef0123456789abcdef" +
+			"0123456789abcdef0123456789abcdef" +
+			"0123456789abcdef0123456789ab";
+		debug.return_strands("xyz");
+
+		# Assert error in VSLbs(), cache/cache_shmlog.c line 390:
+		#   Condition(VSL_END(vsl->wlp, l) < vsl->wle) not true.
+		debug.vsl_flush();
+		debug.return_strands(
+			# 255 = 8 * 32 - 1
+			"0123456789abcdef0123456789abcdef" +
+			"0123456789abcdef0123456789abcdef" +
+			"0123456789abcdef0123456789abcdef" +
+			"0123456789abcdef0123456789abcdef" +
+			"0123456789abcdef0123456789abcdef" +
+			"0123456789abcdef0123456789abcdef" +
+			"0123456789abcdef0123456789abcdef" +
+			"0123456789abcdef0123456789abcde");
+		return (synth(200));
+	}
+} -start
+
+client c1 {
+	txreq
+	rxresp
+	expect resp.status == 200
+} -run

More information about the varnish-commit mailing list