Attachment 1307657 Details for Bug 1477222 – varnish 5.0 patch

[patch] varnish 5.0 patch

5.0-Correctly-handle-bogusly-large-chunk-sizes.patch (text/plain), 3.09 KB, created by Adam Mariš on 2017-08-01 14:42:52 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Adam Mariš

Created: 2017-08-01 14:42:52 UTC

Size: 3.09 KB

patch

obsolete

>From 6c9d9481cd4ea569ccff741afbd7590a056bb164 Mon Sep 17 00:00:00 2001
>From: Martin Blix Grydeland <martin@varnish-software.com>
>Date: Thu, 27 Jul 2017 11:52:58 +0200
>Subject: [PATCH] Correctly handle bogusly large chunk sizes
>
>This fixes a denial of service attack vector where bogusly large chunk
>sizes in requests could be used to force restarts of the Varnish
>server.
>
>This is Varnish Security Vulnerability VSV00001
>
>For more information visit: https://varnish-cache.org/security/VSV00001
>
>Fixes: #2379
>---
> bin/varnishd/http1/cache_http1_vfp.c |  2 +-
> bin/varnishtest/tests/f00001.vtc     | 68 ++++++++++++++++++++++++++++++++++++
> 2 files changed, 69 insertions(+), 1 deletion(-)
> create mode 100644 bin/varnishtest/tests/f00001.vtc
>
>diff --git a/bin/varnishd/http1/cache_http1_vfp.c b/bin/varnishd/http1/cache_http1_vfp.c
>index b836cd3..ded1550 100644
>--- a/bin/varnishd/http1/cache_http1_vfp.c
>+++ b/bin/varnishd/http1/cache_http1_vfp.c
>@@ -155,7 +155,7 @@ v1f_pull_chunked(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr,
> 		if (q == NULL || *q != '\0')
> 			return (VFP_Error(vc, "chunked header number syntax"));
> 		cl = (ssize_t)cll;
>-		if((uintmax_t)cl != cll)
>+		if (cl < 0 || (uintmax_t)cl != cll)
> 			return (VFP_Error(vc, "bogusly large chunk size"));
> 
> 		vfe->priv2 = cl;
>diff --git a/bin/varnishtest/tests/f00001.vtc b/bin/varnishtest/tests/f00001.vtc
>new file mode 100644
>index 0000000..043e30c
>--- /dev/null
>+++ b/bin/varnishtest/tests/f00001.vtc
>@@ -0,0 +1,68 @@
>+varnishtest "Check that we handle bogusly large chunks correctly"
>+
>+# Check that the bug has been fixed
>+
>+server s1 {
>+	rxreq
>+	txresp
>+
>+	accept
>+	rxreq
>+	txresp
>+} -start
>+
>+varnish v1 -vcl+backend {
>+} -start
>+
>+client c1 {
>+	send "POST / HTTP/1.1\r\n"
>+	send "Transfer-Encoding: chunked\r\n\r\n"
>+	send "FFFFFFFFFFFFFFED\r\n"
>+	send "0\r\n\r\n"
>+
>+	rxresp
>+	expect resp.status == 503
>+} -run
>+
>+# Check that the published workaround does not cause harm
>+
>+varnish v1 -cliok "param.set vcc_allow_inline_c true"
>+
>+varnish v1 -vcl+backend {
>+        sub exploit_workaround {
>+                # This needs to be defined before your vcl_recv function
>+                # Make sure that the runtime parameter vcc_allow_inline_c is set to true
>+                if (req.http.transfer-encoding ~ "(?i)chunked") {
>+                        C{
>+                        struct dummy_req {
>+                                unsigned        magic;
>+                                int             step;
>+                                int             req_body_status;
>+                        };
>+                        ((struct dummy_req *)ctx->req)->req_body_status = 5;
>+                        }C
>+
>+                        return (synth(503, "Bad request"));
>+                }
>+        }
>+
>+        sub vcl_recv {
>+                # Call this early in your vcl_recv function
>+                call exploit_workaround;
>+        }
>+}
>+
>+client c1 {
>+	send "POST / HTTP/1.1\r\n"
>+	send "Transfer-Encoding: chunked\r\n\r\n"
>+	send "FFFFFFFFFFFFFFED\r\n"
>+	send "0\r\n\r\n"
>+
>+	expect_close
>+} -run
>+
>+client c1 {
>+	txreq
>+	rxresp
>+	expect resp.status == 200
>+} -run
>-- 
>2.1.4
>

Actions: View | Diff

Attachments on bug 1477222: 1307655 | 1307656 | 1307657 | 1307658