Merge r4221: Be much more paranoid about control-characters in backend responses.

Fixes #549



git-svn-id: http://www.varnish-cache.org/svn/branches/2.0@4314 d4fa192b-c00b-0410-8231-f00ffab90ce4

bin/varnishd/cache_http.c

@@ -390,7 +390,7 @@ static int
 http_splitline(struct worker *w, int fd, struct http *hp,
     const struct http_conn *htc, int h1, int h2, int h3)
 {
-	char *p;
+	char *p, *q;
 
 	CHECK_OBJ_NOTNULL(htc, HTTP_CONN_MAGIC);
 	CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
@@ -403,40 +403,47 @@ http_splitline(struct worker *w, int fd, struct http *hp,
 		continue;
 
 	/* First field cannot contain SP, CRLF or CTL */
-	hp->hd[h1].b = p;
-	for (; !vct_issp(*p); p++)
+	q = p;
+	for (; !vct_issp(*p); p++) {
 		if (vct_isctl(*p))
 			return (400);
+	}
+	hp->hd[h1].b = q;
 	hp->hd[h1].e = p;
 
 	/* Skip SP */
-	for (; vct_issp(*p); p++)
-		;
+	for (; vct_issp(*p); p++) {
+		if (vct_isctl(*p))
+			return (400);
+	}
 
-	/* Second field cannot contain LWS */
-	hp->hd[h2].b = p;
-	for (; !vct_islws(*p); p++)
-		;
+	/* Second field cannot contain LWS or CTL */
+	q = p;
+	for (; !vct_islws(*p); p++) {
+		if (vct_isctl(*p))
+			return (400);
+	}
+	hp->hd[h2].b = q;
 	hp->hd[h2].e = p;
 
 	if (!Tlen(hp->hd[h2]))
 		return (400);
 
 	/* Skip SP */
-	for (; vct_issp(*p); p++)
-		;
+	for (; vct_issp(*p); p++) {
+		if (vct_isctl(*p))
+			return (400);
+	}
 
 	/* Third field is optional and cannot contain CTL */
+	q = p;
 	if (!vct_iscrlf(*p)) {
-		hp->hd[h3].b = p;
 		for (; !vct_iscrlf(*p); p++)
 			if (vct_isctl(*p))
 				return (400);
-		hp->hd[h3].e = p;
-	} else {
-		hp->hd[h3].b = p;
-		hp->hd[h3].e = p;
 	}
+	hp->hd[h3].b = q;
+	hp->hd[h3].e = p;
 
 	/* Skip CRLF */
 	p += vct_skipcrlf(p);

bin/varnishtest/tests/r00549.vtc

+# $Id$
+
+# Regression test for bad backend reply with ctrl char.
+
+server s1 {
+	rxreq
+	send "HTTP/1.1 200 OK\013\r\n\r\nTest"
+} -start
+
+varnish v1 -vcl+backend {} -start
+
+client c1 {
+	txreq
+	rxresp
+} -run