Mark req doclose when failing to ignore req body

Previously we would ignore errors to iterate the request body into oblivion in VRB_Ignore(), keeping the connection open. This opens an out-of-sync vulnerability on H/1 connections. This patch tests the status of the request body in VRB_Ignore(), marking the request failed and that it should be closed on errors.

Mark req doclose when failing to ignore req body
Previously we would ignore errors to iterate the request body into oblivion in VRB_Ignore(), keeping the connection open. This opens an out-of-sync vulnerability on H/1 connections. This patch tests the status of the request body in VRB_Ignore(), marking the request failed and that it should be closed on errors.
dcbe8b9e · Martin Blix Grydeland · 9ebad0cf · dcbe8b9e
Commit dcbe8b9e authored Dec 17, 2021 by Martin Blix Grydeland
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

cache_req_body.c bin/varnishd/cache/cache_req_body.c +2 -0

No files found.
--- a/bin/varnishd/cache/cache_req_body.c
+++ b/bin/varnishd/cache/cache_req_body.c
@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req)
 	if (req->req_body_status == REQ_BODY_WITH_LEN ||
 	    req->req_body_status == REQ_BODY_WITHOUT_LEN)
 		(void)VRB_Iterate(req, httpq_req_body_discard, NULL);
+	if (req->req_body_status == REQ_BODY_FAIL)
+		req->doclose = SC_RX_BODY;
 	return(0);
 }