Mark req doclose when failing to ignore req body

Previously we would ignore errors to iterate the request body into oblivion in VRB_Ignore(), keeping the connection open. This opens an out-of-sync vulnerability on H/1 connections. This patch tests the status of the request body in VRB_Ignore(), marking the request failed and that it should be closed on errors.
varnishcache · Jan 11, 2022 · dcbe8b9 · dcbe8b9
1 parent 9ebad0c
commit dcbe8b9
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c
@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req)
 	if (req->req_body_status == REQ_BODY_WITH_LEN ||
 	    req->req_body_status == REQ_BODY_WITHOUT_LEN)
 		(void)VRB_Iterate(req, httpq_req_body_discard, NULL);
+	if (req->req_body_status == REQ_BODY_FAIL)
+		req->doclose = SC_RX_BODY;
 	return(0);
 }