Fix http1_splitline parsing of 2 field HTTP proto lines using NLNL

When parsing a request like this, "GET /\n\n", the first NL would be overwritten by nul guard inserted after the 2nd field, and the second NL would be overwritten by the nul guard after the missing 3rd field. This would cause http1_dissect_hdrs to attempt to decode the body as headers.

Fix http1_splitline parsing of 2 field HTTP proto lines using NLNL
When parsing a request like this, "GET /\n\n", the first NL would be overwritten by nul guard inserted after the 2nd field, and the second NL would be overwritten by the nul guard after the missing 3rd field. This would cause http1_dissect_hdrs to attempt to decode the body as headers.
72df38fa · Martin Blix Grydeland · 0f0e51e9 · 72df38fa
Commit 72df38fa authored Aug 15, 2019 by Martin Blix Grydeland
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 2 deletions

cache_http1_proto.c bin/varnishd/http1/cache_http1_proto.c +7 -2

No files found.
--- a/bin/varnishd/http1/cache_http1_proto.c
+++ b/bin/varnishd/http1/cache_http1_proto.c
@@ -218,7 +218,7 @@ static uint16_t
 http1_splitline(struct http *hp, struct http_conn *htc, const int *hf,
    unsigned maxhdr)
 {
-	char *p;
+	char *p, *q;
 	int i;

 	assert(hf == HTTP1_Req || hf == HTTP1_Resp);
@@ -259,14 +259,19 @@ http1_splitline(struct http *hp, struct http_conn *htc, const int *hf,
 	hp->hd[hf[1]].e = p;
 	if (!Tlen(hp->hd[hf[1]]))
 		return (400);
-	*p++ = '\0';

 	/* Skip SP */
+	q = p;
 	for (; vct_issp(*p); p++) {
 		if (vct_isctl(*p))
 			return (400);
 	}
 	hp->hd[hf[2]].b = p;
+	if (q < p)
+		*q = '\0';	/* Nul guard for the 2nd field. If q == p
+				 * (the third optional field is not
+				 * present), the last nul guard will
+				 * cover this field. */

 	/* Third field is optional and cannot contain CTL except TAB */
 	for (; p < htc->rxbuf_e && !vct_iscrlf(p, htc->rxbuf_e); p++) {