Permalink
Browse files

Return 503 when Vary-headers references header names more than 127

(out limit) characters long.

Fixes: #1274

Test case by: Dag Haavi Finstad
  • Loading branch information...
1 parent f8f75cb commit f5c42c6aaf9bdadf58f58dddb2b9e755d12d790b @mbgrydeland mbgrydeland committed Mar 18, 2013
Showing with 22 additions and 0 deletions.
  1. +7 −0 bin/varnishd/cache/cache_vary.c
  2. +15 −0 bin/varnishtest/tests/r01274.vtc
@@ -101,6 +101,13 @@ VRY_Create(struct req *req, const struct http *hp, struct vsb **psb)
for (q = p; *q && !vct_issp(*q) && *q != ','; q++)
continue;
+ if (q - p > INT8_MAX) {
+ VSLb(req->vsl, SLT_Error,
+ "Vary header name length exceeded");
+ error = 1;
+ break;
+ }
+
/* Build a header-matching string out of it */
VSB_clear(sbh);
VSB_printf(sbh, "%c%.*s:%c",
@@ -0,0 +1,15 @@
+varnishtest "#1274 - panic when Vary field-name is too large to fit in a signed char"
+
+server s1 {
+ rxreq
+ # Vary header more than 127 characters long
+ txresp -hdr "Vary: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+} -start
+
+varnish v1 -vcl+backend { } -start
+
+client c1 {
+ txreq
+ rxresp
+ expect resp.status == 503
+} -run

0 comments on commit f5c42c6

Please sign in to comment.