Correctly handle bogusly large chunk sizes

This fixes a denial of service attack vector where bogusly large chunk sizes in requests could be used to force restarts of the Varnish server. This is Varnish Security Vulnerability VSV00001 For more information visit: https://varnish-cache.org/security/VSV00001 Fixes: #2379
varnishcache · Aug 2, 2017 · 09731b2 · 09731b2
1 parent b8290db
commit 09731b2
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 1 deletion.
diff --git a/bin/varnishd/http1/cache_http1_vfp.c b/bin/varnishd/http1/cache_http1_vfp.c
@@ -152,7 +152,7 @@ v1f_pull_chunked(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr,
 		if (q == NULL || *q != '\0')
 			return (VFP_Error(vc, "chunked header number syntax"));
 		cl = (ssize_t)cll;
-		if ((uintmax_t)cl != cll)
+		if (cl < 0 || (uintmax_t)cl != cll)
 			return (VFP_Error(vc, "bogusly large chunk size"));
 
 		vfe->priv2 = cl;

diff --git a/bin/varnishtest/tests/f00001.vtc b/bin/varnishtest/tests/f00001.vtc
@@ -0,0 +1,40 @@
+varnishtest "Check that we handle bogusly large chunks correctly"
+
+# Check that the bug has been fixed
+
+server s1 {
+	rxreq
+	txresp
+} -start
+
+varnish v1 -vcl+backend {
+} -start
+
+client c1 {
+	send "POST / HTTP/1.1\r\n"
+	send "Transfer-Encoding: chunked\r\n\r\n"
+	send "FFFFFFFFFFFFFFED\r\n"
+	send "0\r\n\r\n"
+
+	rxresp
+	expect resp.status == 503
+} -run
+
+# Check that the published workaround does not cause harm
+
+varnish v1 -vcl+backend {
+	sub vcl_recv {
+		if (req.http.transfer-encoding ~ "(?i)chunked") {
+			return (fail);
+		}
+	}
+}
+
+client c1 {
+	send "POST / HTTP/1.1\r\n"
+	send "Transfer-Encoding: chunked\r\n\r\n"
+	send "FFFFFFFFFFFFFFED\r\n"
+
+	rxresp
+	expect resp.status == 503
+} -run