Fix two bugs in ACL compile code.

Fixes #1312 See Also: CVE-2013-4090

Fix two bugs in ACL compile code.
Fixes #1312 See Also: CVE-2013-4090
bcd514d3 · Poul-Henning Kamp · 0acece74 · bcd514d3 · bcd514d3
Commit bcd514d3 authored Jun 11, 2013 by Poul-Henning Kamp
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 2 deletions

r01312.vtc bin/varnishtest/tests/r01312.vtc +28 -0

vcc_acl.c lib/libvcl/vcc_acl.c +2 -2

No files found.
--- a/bin/varnishtest/tests/r01312.vtc
+++ b/bin/varnishtest/tests/r01312.vtc
+varnishtest "acl miscompile"
+
+server s1 {
+	rxreq
+	txresp
+} -start
+
+varnish v1 -vcl+backend {
+	acl foo {
+		"127.0.0.2";
+		"127.0.1"/19;
+	}
+	acl bar {
+		"127.0.1.2";
+		"127.0.1"/19;
+	}
+	sub vcl_deliver {
+		set resp.http.ACLfoo = client.ip ~ foo;
+		set resp.http.ACLbar = client.ip ~ bar;
+	}
+} -start
+
+client c1 {
+	txreq
+	rxresp
+	expect resp.http.aclfoo == true
+	expect resp.http.aclbar == true
+} -run
--- a/lib/libvcl/vcc_acl.c
+++ b/lib/libvcl/vcc_acl.c
@@ -381,7 +381,7 @@ vcc_acl_emit(const struct vcc *tl, const char *acln, int anon)
 	VTAILQ_FOREACH(ae, &tl->acl, list) {

 		/* Find how much common prefix we have */
-		for (l = 0; l <= depth && l * 8 < ae->mask; l++) {
+		for (l = 0; l <= depth && l * 8 < ae->mask - 7; l++) {
 			assert(l >= 0);
 			if (ae->data[l] != at[l])
 				break;
@@ -392,11 +392,11 @@ vcc_acl_emit(const struct vcc *tl, const char *acln, int anon)
 		while (l <= depth) {
 			Fh(tl, 0, "\t%*s}\n", -depth, "");
 			depth--;
-			oc = "else ";
 		}

 		m = ae->mask;
 		m -= l * 8;
+		assert(m >= 0);

 		/* Do whole byte compares */
 		for (i = l; m >= 8; m -= 8, i++) {