Avoid buffer read overflow on vcl_error and -sfile

The file stevedore may return a buffer larger than asked for when requesting storage. Due to lack of check for this condition, the code to copy the synthetic error memory buffer from vcl_error would overrun the buffer. Patch by @shamger Fixes: #2429

Avoid buffer read overflow on vcl_error and -sfile
The file stevedore may return a buffer larger than asked for when requesting storage. Due to lack of check for this condition, the code to copy the synthetic error memory buffer from vcl_error would overrun the buffer. Patch by @shamger Fixes: #2429
19a73184 · Martin Blix Grydeland · Pål Hermunn Johansen · 970f2a3a · 19a73184
Commit 19a73184 authored Sep 18, 2017 by Martin Blix Grydeland Committed by Pål Hermunn Johansen Sep 19, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

cache_fetch.c bin/varnishd/cache/cache_fetch.c +2 -0

No files found.
--- a/bin/varnishd/cache/cache_fetch.c
+++ b/bin/varnishd/cache/cache_fetch.c
@@ -873,6 +873,8 @@ vbf_stp_error(struct worker *wrk, struct busyobj *bo)
 		l = ll;
 		if (VFP_GetStorage(bo->vfc, &l, &ptr) != VFP_OK)
 			break;
+		if (l > ll)
+			l = ll;
 		memcpy(ptr, VSB_data(synth_body) + o, l);
 		VBO_extend(bo, l);
 		ll -= l;