Reject headers without name

bin/varnishd/http1/cache_http1_proto.c

@@ -155,16 +155,16 @@ http1_dissect_hdrs(struct http *hp, char *p, struct http_conn *htc,
 				*q++ = ' ';
 		}
 
+		/* Empty header = end of headers */
+		if (p == q)
+			break;
+
 		if (q - p > maxhdr) {
 			VSLb(hp->vsl, SLT_BogoHeader, "Header too long: %.*s",
 			    (int)(q - p > 20 ? 20 : q - p), p);
 			return (400);
 		}
 
-		/* Empty header = end of headers */
-		if (p == q)
-			break;
-
 		if (vct_islws(*p)) {
 			VSLb(hp->vsl, SLT_BogoHeader,
 			    "1st header has white space: %.*s",
@@ -172,6 +172,13 @@ http1_dissect_hdrs(struct http *hp, char *p, struct http_conn *htc,
 			return (400);
 		}
 
+		if (*p == ':') {
+			VSLb(hp->vsl, SLT_BogoHeader,
+			    "Missing header name: %.*s",
+			    (int)(q - p > 20 ? 20 : q - p), p);
+			return (400);
+		}
+
 		if ((p[0] == 'i' || p[0] == 'I') &&
 		    (p[1] == 'f' || p[1] == 'F') &&
 		    p[2] == '-')

bin/varnishtest/tests/b00040.vtc

@@ -2,7 +2,7 @@ varnishtest "test certain mailformed requests"
 
 server s1 {
 	rxreq
-	# expect req.url == /3
+	expect req.url == /4
 	txresp
 } -start
 
@@ -15,6 +15,7 @@ logexpect l1 -v v1 -g raw {
 	expect * 1010 BogoHeader {Header has ctrl char 0x01}
 	expect * 1012 BogoHeader {Header has ctrl char 0x0d}
 	expect * 1014 BogoHeader {Header has ctrl char 0x0d}
+	expect * 1016 BogoHeader {Missing header name:.*}
 } -start
 
 client c1 {
@@ -71,6 +72,13 @@ client c1 {
 	rxresp
 	expect resp.status == 400
 } -run
+delay .1
+
+client c1 {
+	send "GET /8 HTTP/1.1\r\nHost: foo\r\n: Header\r\n\r\n"
+	rxresp
+	expect resp.status == 400
+} -run
 
 logexpect l1 -wait