If VRB_cache() is called with a POST body larger than the provided

size limitation, the request fails and the connection is closed. Fixes #1664

If VRB_cache() is called with a POST body larger than the provided
size limitation, the request fails and the connection is closed. Fixes #1664
d7695e48 · Arianna Aondio · af8cc5b9 · d7695e48 · d7695e48 · d7695e48
Commit d7695e48 authored Mar 11, 2015 by Arianna Aondio
4 changed files
--- a/bin/varnishd/cache/cache_req_body.c
+++ b/bin/varnishd/cache/cache_req_body.c
@@ -218,9 +218,10 @@ VRB_Cache(struct req *req, ssize_t maxsize)

 	CHECK_OBJ_NOTNULL(req->htc, HTTP_CONN_MAGIC);
 	vfc = req->htc->vfc;
+	VFP_Setup(vfc);
+	vfc->wrk = req->wrk;

 	if (req->htc->content_length > maxsize) {
-		// XXX #1664
 		req->req_body_status = REQ_BODY_FAIL;
 		(void)VFP_Error(vfc, "Request body too big to cache");
 		return (-1);
@@ -230,9 +231,7 @@ VRB_Cache(struct req *req, ssize_t maxsize)
 	AN(req->body_oc);
 	XXXAN(STV_NewObject(req->body_oc, req->wrk, TRANSIENT_STORAGE, 8));

-	VFP_Setup(vfc);
 	vfc->http = req->http;
-	vfc->wrk = req->wrk;
 	vfc->oc = req->body_oc;
 	V1F_Setup_Fetch(vfc, req->htc);

@@ -248,6 +247,12 @@ VRB_Cache(struct req *req, ssize_t maxsize)
 		yet = 0;
 	do {
 		AZ(vfc->failed);
+		if (req->req_bodybytes > maxsize) {
+			req->req_body_status = REQ_BODY_FAIL;
+			(void)VFP_Error(vfc, "Request body too big to cache");
+			VFP_Close(vfc);
+			return(-1);
+		}
 		l = yet;
 		if (VFP_GetStorage(vfc, &l, &ptr) != VFP_OK)
 			break;

--- a/bin/varnishd/cache/cache_req_fsm.c
+++ b/bin/varnishd/cache/cache_req_fsm.c
@@ -607,8 +607,10 @@ cnt_recv(struct worker *wrk, struct req *req)
 	VCL_recv_method(req->vcl, wrk, req, NULL, req->http->ws);

 	/* Attempts to cache req.body may fail */
-	if (req->req_body_status == REQ_BODY_FAIL)
+	if (req->req_body_status == REQ_BODY_FAIL) {
+		req->doclose = SC_RX_BODY;
 		return (REQ_FSM_DONE);
+	}

 	recv_handling = wrk->handling;


--- a/bin/varnishtest/tests/c00055.vtc
+++ b/bin/varnishtest/tests/c00055.vtc
@@ -69,5 +69,10 @@ client c1 {
 	expect resp.status == 200
 	expect resp.http.X-BodyBytes == 0
 } -run
+
+client c2 {
+       txreq -req POST -nolen -hdr "Content-Length: 1025"
+       expect_close
+} -run
 varnish v1 -stop
 logexpect l1 -wait
--- a/bin/varnishtest/tests/c00067.vtc
+++ b/bin/varnishtest/tests/c00067.vtc
@@ -34,7 +34,7 @@ varnish v1 -vcl+backend {
 	import ${vmod_std};

 	sub vcl_recv {
-		std.cache_req_body(1000B);
+		std.cache_req_body(110B);
 	}
 }

@@ -42,12 +42,6 @@ client c1 {
 	txreq -req POST -nolen -hdr "Transfer-encoding: chunked"
 	chunked {BLAS}
 	delay .2
-	chunkedlen 100
-	delay .2
-	chunked {TFOO}
-	delay .2
-	chunkedlen 0
-	rxresp
-	expect resp.status == 200
-	expect resp.bodylen == 5
+	chunkedlen 110
+	expect_close
 } -run