Browse files

Avoid buffer read overflow on vcl_error and -sfile

The file stevedore may return a buffer larger than asked for when
requesting storage. Due to lack of check for this condition, the code
to copy the synthetic error memory buffer from vcl_error would overrun
the buffer.

Patch by @shamger

Fixes: #2429
  • Loading branch information...
mbgrydeland committed Sep 18, 2017
1 parent b5593e2 commit 176f8a075a963ffbfa56f1c460c15f6a1a6af5a7
Showing with 2 additions and 0 deletions.
  1. +2 −0 bin/varnishd/cache/cache_fetch.c
@@ -899,6 +899,8 @@ vbf_stp_error(struct worker *wrk, struct busyobj *bo)
l = ll;
if (VFP_GetStorage(bo->vfc, &l, &ptr) != VFP_OK)
if (l > ll)
l = ll;
memcpy(ptr, VSB_data(synth_body) + o, l);
VFP_Extend(bo->vfc, l);
ll -= l;

0 comments on commit 176f8a0

Please sign in to comment.