Bogusly large chunk sizes may cause assert

[mbgrydeland]

A client sending a request body using chunked encoding may cause the
Varnish daemon to assert and restart if sending a chunk size larger
than a signed 64-bit signed integer can hold.

This has been assigned VSV00001.

For more information see this page:

http://varnish-cache.org/security/VSV00001

[apoleon]

Hi,

we maintain an older version of varnish, 3.0.2. According to your security advisory versions up to 4.0.0 are not affected. However in 3.0.2 there is a similar code fragment in bin/varnishd/cache_fetch.c, function fetch_number

cl = (ssize_t)cll;
if((uintmax_t)cl != cll) /* Protect against bogusly large values */
return (-1);
return (cl);

I wonder whether the if condition should be extended to if (cl < 0 || (uintmax_t)cl != cll) as well in this case? Or can someone confirm that the vulnerability cannot be triggered by this function.

[dridi]

I would recommend taking the test case from 09731b2. Back-port it to your fork's varnishtest syntax and see whether you are vulnerable.

[mbgrydeland]

It is true as was pointed out that the faulty line was there also before version 4.0.1. But what was new in 4.0.1 was that the code path containing the faulty line was exposed to client requests. Before 4.0.1, this code could only be run through backend fetches. While stil a bug, problems related to backend traffic are not considered a security problem, thus the advisory is only issued for version 4.0.1 and later.

[carnil]

@mbgrydeland: CVE-2017-12425 has been assigned for this issue.

[apoleon]

Thank you both for your advice and comments.