Return 503 when Vary-headers references header names more than 127

(out limit) characters long. Fixes: #1274 Test case by: Dag Haavi Finstad

Return 503 when Vary-headers references header names more than 127
(out limit) characters long. Fixes: #1274 Test case by: Dag Haavi Finstad
f5c42c6a · Martin Blix Grydeland · f8f75cb1 · f5c42c6a · f5c42c6a
Commit f5c42c6a authored Mar 18, 2013 by Martin Blix Grydeland
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 0 deletions

cache_vary.c bin/varnishd/cache/cache_vary.c +7 -0

r01274.vtc bin/varnishtest/tests/r01274.vtc +15 -0

No files found.
--- a/bin/varnishd/cache/cache_vary.c
+++ b/bin/varnishd/cache/cache_vary.c
@@ -101,6 +101,13 @@ VRY_Create(struct req *req, const struct http *hp, struct vsb **psb)
 		for (q = p; *q && !vct_issp(*q) && *q != ','; q++)
 			continue;

+		if (q - p > INT8_MAX) {
+			VSLb(req->vsl, SLT_Error,
+			    "Vary header name length exceeded");
+			error = 1;
+			break;
+		}
+
 		/* Build a header-matching string out of it */
 		VSB_clear(sbh);
 		VSB_printf(sbh, "%c%.*s:%c",

--- a/bin/varnishtest/tests/r01274.vtc
+++ b/bin/varnishtest/tests/r01274.vtc
+varnishtest "#1274 - panic when Vary field-name is too large to fit in a signed char"
+
+server s1 {
+       rxreq
+       # Vary header more than 127 characters long
+       txresp -hdr "Vary: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 
+} -start
+
+varnish v1 -vcl+backend { } -start
+
+client c1 {
+       txreq
+       rxresp
+       expect resp.status == 503
+} -run