aboutsummaryrefslogtreecommitdiffstats
path: root/main/varnish/CVE-2017-12425.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/varnish/CVE-2017-12425.patch')
-rw-r--r--main/varnish/CVE-2017-12425.patch108
1 files changed, 0 insertions, 108 deletions
diff --git a/main/varnish/CVE-2017-12425.patch b/main/varnish/CVE-2017-12425.patch
deleted file mode 100644
index 0ff0d9f57a..0000000000
--- a/main/varnish/CVE-2017-12425.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From c37821ddd539a23845ae8e9a7a9cc958358c1541 Mon Sep 17 00:00:00 2001
-From: Martin Blix Grydeland <martin@varnish-software.com>
-Date: Thu, 27 Jul 2017 11:52:58 +0200
-Subject: [PATCH] Correctly handle bogusly large chunk sizes
-
-This fixes a denial of service attack vector where bogusly large chunk
-sizes in requests could be used to force restarts of the Varnish
-server.
-
-This is Varnish Security Vulnerability VSV00001
-
-For more information visit: https://varnish-cache.org/security/VSV00001
-
-Fixes: #2379
----
- bin/varnishd/http1/cache_http1_vfp.c | 2 +-
- bin/varnishtest/tests/f00001.vtc | 69 ++++++++++++++++++++++++++++++++++++
- 2 files changed, 70 insertions(+), 1 deletion(-)
- create mode 100644 bin/varnishtest/tests/f00001.vtc
-
-diff --git a/bin/varnishd/http1/cache_http1_vfp.c b/bin/varnishd/http1/cache_http1_vfp.c
-index b836cd3ca..ded1550bf 100644
---- a/bin/varnishd/http1/cache_http1_vfp.c
-+++ b/bin/varnishd/http1/cache_http1_vfp.c
-@@ -155,7 +155,7 @@ v1f_pull_chunked(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr,
- if (q == NULL || *q != '\0')
- return (VFP_Error(vc, "chunked header number syntax"));
- cl = (ssize_t)cll;
-- if((uintmax_t)cl != cll)
-+ if (cl < 0 || (uintmax_t)cl != cll)
- return (VFP_Error(vc, "bogusly large chunk size"));
-
- vfe->priv2 = cl;
-diff --git a/bin/varnishtest/tests/f00001.vtc b/bin/varnishtest/tests/f00001.vtc
-new file mode 100644
-index 000000000..bfb559228
---- /dev/null
-+++ b/bin/varnishtest/tests/f00001.vtc
-@@ -0,0 +1,69 @@
-+varnishtest "Check that we handle bogusly large chunks correctly"
-+
-+# Check that the bug has been fixed
-+
-+server s1 {
-+ rxreq
-+ txresp
-+
-+ accept
-+ rxreq
-+ txresp
-+} -start
-+
-+varnish v1 -vcl+backend {
-+} -start
-+
-+client c1 {
-+ send "POST / HTTP/1.1\r\n"
-+ send "Transfer-Encoding: chunked\r\n\r\n"
-+ send "FFFFFFFFFFFFFFED\r\n"
-+ send "0\r\n\r\n"
-+
-+ rxresp
-+ expect resp.status == 503
-+} -run
-+
-+# Check that the published workaround does not cause harm
-+
-+varnish v1 -cliok "param.set vcc_allow_inline_c true"
-+
-+varnish v1 -vcl+backend {
-+ sub exploit_workaround {
-+ # This needs to be defined before your vcl_recv function
-+ # Make sure that the runtime parameter vcc_allow_inline_c is set to true
-+ if (req.http.transfer-encoding ~ "(?i)chunked") {
-+ C{
-+ struct dummy_req {
-+ unsigned magic;
-+ int step;
-+ int req_body_status;
-+ };
-+ ((struct dummy_req *)ctx->req)->req_body_status = 5;
-+ }C
-+
-+ return (synth(503, "Bad request"));
-+ }
-+ }
-+
-+ sub vcl_recv {
-+ # Call this early in your vcl_recv function
-+ call exploit_workaround;
-+ }
-+}
-+
-+client c1 {
-+ send "POST / HTTP/1.1\r\n"
-+ send "Transfer-Encoding: chunked\r\n\r\n"
-+ send "FFFFFFFFFFFFFFED\r\n"
-+
-+ expect_close
-+} -run
-+
-+# Make sure that varnish is still running
-+
-+client c1 {
-+ txreq
-+ rxresp
-+ expect resp.status == 200
-+} -run