Attachment 1307655 Details for Bug 1477222 – varnish 4.0 patch

[patch] varnish 4.0 patch

4.0-Correctly-handle-bogusly-large-chunk-sizes.patch (text/plain), 3.05 KB, created by Adam Mariš on 2017-08-01 14:41:52 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Adam Mariš

Created: 2017-08-01 14:41:52 UTC

Size: 3.05 KB

patch

obsolete

>From 0bfe7ff1b13acf61a26bbeb12fa1530a3b78188b Mon Sep 17 00:00:00 2001
>From: Martin Blix Grydeland <martin@varnish-software.com>
>Date: Thu, 27 Jul 2017 11:52:58 +0200
>Subject: [PATCH] Correctly handle bogusly large chunk sizes
>
>This fixes a denial of service attack vector where bogusly large chunk
>sizes in requests could be used to force restarts of the Varnish
>server.
>
>This is Varnish Security Vulnerability VSV00001
>
>For more information visit: https://varnish-cache.org/security/VSV00001
>
>Fixes: #2379
>---
> bin/varnishd/cache/cache_http1_proto.c |  2 +-
> bin/varnishtest/tests/f00001.vtc       | 83 ++++++++++++++++++++++++++++++++++
> 2 files changed, 84 insertions(+), 1 deletion(-)
> create mode 100644 bin/varnishtest/tests/f00001.vtc
>
>diff --git a/bin/varnishd/cache/cache_http1_proto.c b/bin/varnishd/cache/cache_http1_proto.c
>index 1142011..a6ff014 100644
>--- a/bin/varnishd/cache/cache_http1_proto.c
>+++ b/bin/varnishd/cache/cache_http1_proto.c
>@@ -586,7 +586,7 @@ HTTP1_Chunked(struct http_conn *htc, intptr_t *priv, const char **error,
> 		if (q == NULL || *q != '\0')
> 			ERR("chunked header number syntax");
> 		cl = (ssize_t)cll;
>-		if((uintmax_t)cl != cll)
>+		if (cl < 0 || (uintmax_t)cl != cll)
> 			ERR("bogusly large chunk size");
> 
> 		*priv = cl;
>diff --git a/bin/varnishtest/tests/f00001.vtc b/bin/varnishtest/tests/f00001.vtc
>new file mode 100644
>index 0000000..32d54f7
>--- /dev/null
>+++ b/bin/varnishtest/tests/f00001.vtc
>@@ -0,0 +1,83 @@
>+varnishtest "Check that we handle bogusly large chunks correctly"
>+
>+# Check that the bug has been fixed
>+
>+server s1 {
>+	rxreq
>+	txresp
>+
>+	accept
>+	rxreq
>+	txresp
>+} -start
>+
>+varnish v1 -vcl+backend {
>+} -start
>+
>+client c1 {
>+	send "POST / HTTP/1.1\r\n"
>+	send "Transfer-Encoding: chunked\r\n\r\n"
>+	send "FFFFFFFFFFFFFFED\r\n"
>+	send "0\r\n\r\n"
>+
>+	rxresp
>+	expect resp.status == 503
>+} -run
>+
>+# Check that the published workaround does not cause harm
>+
>+varnish v1 -cliok "param.set vcc_allow_inline_c true"
>+
>+varnish v1 -vcl+backend {
>+	sub exploit_workaround {
>+		# This needs to be defined before your vcl_recv function
>+		# Make sure that the runtime parameter vcc_allow_inline_c is set to true
>+		# This code is only valid with version 4.0 of Varnish Cache
>+		if (req.http.transfer-encoding ~ "(?i)chunked") {
>+			C{
>+			struct dummy_req {
>+				unsigned	magic;
>+				int		restarts;
>+				int		esi_level;
>+				int		disable_esi;
>+				char		hash_ignore_busy;
>+				char		hash_always_miss;
>+				void		*sp;
>+				void		*wrk;
>+				int		req_step;
>+				struct {
>+					void *	a;
>+					void *	b;
>+				};
>+				int		req_body_status;
>+			};
>+			((struct dummy_req *)ctx->req)->req_body_status = 6;
>+			}C
>+
>+			return (synth(503, "Bad request"));
>+		}
>+	}
>+
>+	sub vcl_recv {
>+		# Call this early in your vcl_recv function
>+		call exploit_workaround;
>+	}
>+}
>+
>+client c1 {
>+	send "POST / HTTP/1.1\r\n"
>+	send "Transfer-Encoding: chunked\r\n\r\n"
>+	send "FFFFFFFFFFFFFFED\r\n"
>+	send "0\r\n\r\n"
>+
>+	rxresp
>+	expect resp.status == 400
>+} -run
>+
>+# Make sure that varnish is still running
>+
>+client c1 {
>+	txreq
>+	rxresp
>+	expect resp.status == 200
>+} -run
>-- 
>2.1.4
>

Actions: View | Diff

Attachments on bug 1477222: 1307655 | 1307656 | 1307657 | 1307658