File 0001-Handle-badly-formatted-proxy-TLVs.patch of Package varnish.12875

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-Handle-badly-formatted-proxy-TLVs.patch of Package varnish.12875

From d28b56d2638c7e12bd16fba4e2ccd00789bb84c8 Mon Sep 17 00:00:00 2001
From: Martin Blix Grydeland <martin@varnish-software.com>
Date: Thu, 12 Dec 2019 14:53:48 +0100
Subject: [PATCH] Handle badly formatted proxy TLVs

Proxy TLVs claiming to have PP2_TYPE_SSL sub-TLVs without complete payload
would cause a Varnish assert. This patch fixes the parsing of the TLVs.
---
 bin/varnishd/proxy/cache_proxy_proto.c |  9 +++++++--

diff --git a/bin/varnishd/proxy/cache_proxy_proto.c b/bin/varnishd/proxy/cache_proxy_proto.c
index c6255b6e6..15b243491 100644
--- a/bin/varnishd/proxy/cache_proxy_proto.c
+++ b/bin/varnishd/proxy/cache_proxy_proto.c
@@ -276,8 +276,9 @@ vpx_tlv_itern(struct vpx_tlv_iter *vpi)
 	return (1);
 }
 
-#define VPX_TLV_FOREACH(ptr, len, itv) \
-	for(vpx_tlv_iter0(itv, ptr, len); vpx_tlv_itern(itv);)
+#define VPX_TLV_FOREACH(ptr, len, itv)				\
+	for (vpx_tlv_iter0(itv, ptr, len);			\
+		(vpi->e == NULL) && vpx_tlv_itern(itv);)
 
 int
 VPX_tlv(const struct req *req, int typ, void **dst, int *len)
@@ -453,6 +454,10 @@ vpx_proto2(const struct worker *wrk, struct req *req)
 
 	VPX_TLV_FOREACH(d, l, vpi) {
 		if (vpi->t == PP2_TYPE_SSL) {
+			if (vpi->l < 5) {
+				vpi->e = "Length Error";
+				break;
+			}
 			VPX_TLV_FOREACH((char*)vpi->p + 5, vpi->l - 5, vpi2) {
 			}
 			vpi->e = vpi2->e;
-- 
2.26.2

Places

File 0001-Handle-badly-formatted-proxy-TLVs.patch of Package varnish.12875

Places