From 4cc9c3f26216cc088f29ebf2fd37dfdf6e85c57c Mon Sep 17 00:00:00 2001 From: baizg1107 Date: Tue, 10 Nov 2020 15:52:54 +0800 Subject: [PATCH 1/3] Fix no man manual --- varnish.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/varnish.spec b/varnish.spec index 1eefd10..d75279a 100644 --- a/varnish.spec +++ b/varnish.spec @@ -1,7 +1,7 @@ Name: varnish Summary: A web application accelerator Version: 6.0.0 -Release: 4 +Release: 5 License: BSD URL: https://www.varnish-cache.org/ Source0: http://varnish-cache.org/_downloads/varnish-%{version}.tgz @@ -14,6 +14,7 @@ Patch0001: varnish-5.1.1.fix_ld_library_path_in_doc_build.patch BuildRequires: python3-sphinx python3-docutils pkgconfig make graphviz nghttp2 systemd-units BuildRequires: ncurses-devel pcre-devel libedit-devel Requires: logrotate ncurses pcre jemalloc openEuler-rpm-config gcc +Requires: %{name}-help = %{version}-%{release} Requires(pre): shadow-utils Requires(post): /usr/bin/uuidgen systemd-units systemd-sysv Requires(preun): systemd-units @@ -157,5 +158,8 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc %{_mandir}/man7/*.7* %changelog +* Mon Nov 9 2020 baizhonggui - 6.0.0-5 +- Add install requires help package into main package + * Mon Feb 10 2020 wangye - 6.0.0-4 - Init package -- Gitee From 3f6622f3a413ab603d99db4049b7f3d2da697c1f Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Tue, 19 Jan 2021 11:36:56 +0800 Subject: [PATCH 2/3] Fix CVE-2019-15892 (cherry picked from commit d87d4c4387e12747988e8b4dead7ee4651f89694) --- CVE-2019-15892-1.patch | 221 +++++++++++++++++++++++++++++++++++++++++ CVE-2019-15892-2.patch | 25 +++++ CVE-2019-15892-3.patch | 48 +++++++++ CVE-2019-15892-4.patch | 46 +++++++++ CVE-2019-15892-5.patch | 41 ++++++++ CVE-2019-15892-6.patch | 60 +++++++++++ CVE-2019-15892-7.patch | 45 +++++++++ CVE-2019-15892-8.patch | 36 +++++++ varnish.spec | 2 +- 9 files changed, 523 insertions(+), 1 deletion(-) create mode 100644 CVE-2019-15892-1.patch create mode 100644 CVE-2019-15892-2.patch create mode 100644 CVE-2019-15892-3.patch create mode 100644 CVE-2019-15892-4.patch create mode 100644 CVE-2019-15892-5.patch create mode 100644 CVE-2019-15892-6.patch create mode 100644 CVE-2019-15892-7.patch create mode 100644 CVE-2019-15892-8.patch diff --git a/CVE-2019-15892-1.patch b/CVE-2019-15892-1.patch new file mode 100644 index 0000000..35d58b6 --- /dev/null +++ b/CVE-2019-15892-1.patch @@ -0,0 +1,221 @@ +From 177e17c8f129c58daeeb98055761ee65ab5c3dfc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alf-Andr=C3=A9=20Walla?= +Date: Tue, 13 Aug 2019 12:52:39 +0200 +Subject: [PATCH] Add bounds-checking to vct_iscrlf and vct_skipcrlf + +The macros vct_iscrlf() and vct_skipcrlf() may look at one or two bytes +after its pointer value, causing OOB reads. This would allow +http1_dissect_hdrs to wrongly see a CRLF when one wasn't there (the last +LF left over in the bufer from the previous request). + +Change the macros to inline functions, and harden them by always sending +the end pointer so that they can't overflow. + +vct_iscrlf() will return an int value of 0 for no [CR]LF, 1 for LF and 2 +for CRLF. + +vct_skipcrlf() will return the pointer having been skipped 0, 1 or 2 +bytes. +--- + bin/varnishd/http1/cache_http1_proto.c | 16 +++++++++------- + bin/varnishtest/vtc_http.c | 26 ++++++++++++++------------ + include/vct.h | 19 +++++++++++++++++-- + bin/varnishtest/vtc_subr.c | 3 ++- + 4 files changed, 42 insertions(+), 22 deletions(-) + +diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c +index dd81863d32..5d99da47a8 100644 +--- a/bin/varnishd/http1/cache_http1_proto.c ++++ b/bin/varnishd/http1/cache_http1_proto.c +@@ -121,31 +121,31 @@ http1_dissect_hdrs(struct http *hp, char *p, struct http_conn *htc, + + /* Find end of next header */ + q = r = p; +- if (vct_iscrlf(p)) ++ if (vct_iscrlf(p, htc->rxbuf_e)) + break; + while (r < htc->rxbuf_e) { + if (!vct_isctl(*r) || vct_issp(*r)) { + r++; + continue; + } +- if (!vct_iscrlf(r)) { ++ if (!vct_iscrlf(r, htc->rxbuf_e)) { + VSLb(hp->vsl, SLT_BogoHeader, + "Header has ctrl char 0x%02x", *r); + return (400); + } + q = r; + assert(r < htc->rxbuf_e); +- r += vct_skipcrlf(r); ++ r = vct_skipcrlf(r, htc->rxbuf_e); + if (r >= htc->rxbuf_e) + break; +- if (vct_iscrlf(r)) ++ if (vct_iscrlf(r, htc->rxbuf_e)) + break; + /* If line does not continue: got it. */ + if (!vct_issp(*r)) + break; + + /* Clear line continuation LWS to spaces */ +- while (vct_islws(*q)) ++ while (q < htc->rxbuf_e && vct_islws(*q)) + *q++ = ' '; + } + +@@ -275,7 +275,7 @@ http1_splitline(struct http *hp, struct http_conn *htc, const int *hf, + hp->hd[hf[2]].b = p; + + /* Third field is optional and cannot contain CTL except TAB */ +- for (; !vct_iscrlf(p); p++) { ++ for (; p < htc->rxbuf_e && !vct_iscrlf(p, htc->rxbuf_e); p++) { + if (vct_isctl(*p) && !vct_issp(*p)) { + hp->hd[hf[2]].b = NULL; + return (400); +@@ -284,7 +284,9 @@ http1_splitline(struct http *hp, struct http_conn *htc, const int *hf, + hp->hd[hf[2]].e = p; + + /* Skip CRLF */ +- i = vct_skipcrlf(p); ++ i = vct_iscrlf(p, htc->rxbuf_e); ++ if (!i) ++ return (400); + *p = '\0'; + p += i; + +diff --git a/bin/varnishtest/vtc_http.c b/bin/varnishtest/vtc_http.c +index 616cb459e1..e17643f8eb 100644 +--- a/bin/varnishtest/vtc_http.c ++++ b/bin/varnishtest/vtc_http.c +@@ -409,6 +409,7 @@ http_splitheader(struct http *hp, int req) + char *p, *q, **hh; + int n; + char buf[20]; ++ const char* rxbuf_e = &hp->rxbuf[hp->prxbuf]; + + CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC); + if (req) { +@@ -428,20 +429,20 @@ http_splitheader(struct http *hp, int req) + hh[n++] = p; + while (!vct_islws(*p)) + p++; +- AZ(vct_iscrlf(p)); ++ AZ(vct_iscrlf(p, rxbuf_e)); + *p++ = '\0'; + + /* URL/STATUS */ + while (vct_issp(*p)) /* XXX: H space only */ + p++; +- AZ(vct_iscrlf(p)); ++ AZ(vct_iscrlf(p, rxbuf_e)); + hh[n++] = p; + while (!vct_islws(*p)) + p++; +- if (vct_iscrlf(p)) { ++ if (vct_iscrlf(p, rxbuf_e)) { + hh[n++] = NULL; + q = p; +- p += vct_skipcrlf(p); ++ p = vct_skipcrlf(p, rxbuf_e); + *q = '\0'; + } else { + *p++ = '\0'; +@@ -449,26 +450,26 @@ http_splitheader(struct http *hp, int req) + while (vct_issp(*p)) /* XXX: H space only */ + p++; + hh[n++] = p; +- while (!vct_iscrlf(p)) ++ while (!vct_iscrlf(p, rxbuf_e)) + p++; + q = p; +- p += vct_skipcrlf(p); ++ p = vct_skipcrlf(p, rxbuf_e); + *q = '\0'; + } + assert(n == 3); + + while (*p != '\0') { + assert(n < MAX_HDR); +- if (vct_iscrlf(p)) ++ if (vct_iscrlf(p, rxbuf_e)) + break; + hh[n++] = p++; +- while (*p != '\0' && !vct_iscrlf(p)) ++ while (*p != '\0' && !vct_iscrlf(p, rxbuf_e)) + p++; + q = p; +- p += vct_skipcrlf(p); ++ p = vct_skipcrlf(p, rxbuf_e); + *q = '\0'; + } +- p += vct_skipcrlf(p); ++ p = vct_skipcrlf(p, rxbuf_e); + assert(*p == '\0'); + + for (n = 0; n < 3 || hh[n] != NULL; n++) { +@@ -564,15 +565,16 @@ http_rxchunk(struct http *hp) + vtc_dump(hp->vl, 4, "chunk", hp->rxbuf + l, i); + } + l = hp->prxbuf; ++ + if (http_rxchar(hp, 2, 0) < 0) + return (-1); +- if (!vct_iscrlf(hp->rxbuf + l)) { ++ if (!vct_iscrlf(&hp->rxbuf[l], &hp->rxbuf[hp->prxbuf])) { + vtc_log(hp->vl, hp->fatal, + "Wrong chunk tail[0] = %02x", + hp->rxbuf[l] & 0xff); + return (-1); + } +- if (!vct_iscrlf(hp->rxbuf + l + 1)) { ++ if (!vct_iscrlf(&hp->rxbuf[l + 1], &hp->rxbuf[hp->prxbuf])) { + vtc_log(hp->vl, hp->fatal, + "Wrong chunk tail[1] = %02x", + hp->rxbuf[l + 1] & 0xff); +diff --git a/include/vct.h b/include/vct.h +index 24143a3322..1b7ffbd4f5 100644 +--- a/include/vct.h ++++ b/include/vct.h +@@ -76,7 +76,22 @@ vct_is(int x, uint16_t y) + #define vct_isxmlname(x) vct_is(x, VCT_XMLNAMESTART | VCT_XMLNAME) + #define vct_istchar(x) vct_is(x, VCT_ALPHA | VCT_DIGIT | VCT_TCHAR) + +-#define vct_iscrlf(p) (((p)[0] == 0x0d && (p)[1] == 0x0a) || (p)[0] == 0x0a) ++static inline int ++vct_iscrlf(const char* p, const char* end) ++{ ++ assert(p <= end); ++ if (p == end) ++ return (0); ++ if ((p[0] == 0x0d && (p+1 < end) && p[1] == 0x0a)) // CR LF ++ return (2); ++ if (p[0] == 0x0a) // LF ++ return (1); ++ return (0); ++} + + /* NB: VCT always operate in ASCII, don't replace 0x0d with \r etc. */ +-#define vct_skipcrlf(p) ((p)[0] == 0x0d && (p)[1] == 0x0a ? 2 : 1) ++static inline char* ++vct_skipcrlf(char* p, const char* end) ++{ ++ return (p + vct_iscrlf(p, end)); ++} +diff --git a/bin/varnishtest/vtc_subr.c b/bin/varnishtest/vtc_subr.c +index 2c1439a..f200981 100644 +--- a/bin/varnishtest/vtc_subr.c ++++ b/bin/varnishtest/vtc_subr.c +@@ -33,10 +33,11 @@ + #include + #include + ++#include "vtc.h" ++ + #include "vct.h" + #include "vnum.h" + #include "vre.h" +-#include "vtc.h" + + struct vsb * + vtc_hex_to_bin(struct vtclog *vl, const char *arg) diff --git a/CVE-2019-15892-2.patch b/CVE-2019-15892-2.patch new file mode 100644 index 0000000..d519f95 --- /dev/null +++ b/CVE-2019-15892-2.patch @@ -0,0 +1,25 @@ +From f98c250300bd7303bb7b706384ec153101a3eab0 Mon Sep 17 00:00:00 2001 +From: Martin Blix Grydeland +Date: Thu, 15 Aug 2019 10:44:00 +0200 +Subject: [PATCH] Allow a NULL value in http_Proto + +The proto field is optional in HTTP, so it may not be set. Set the proto +to 0 also for a NULL value instead of segfaulting if it were NULL. +--- + bin/varnishd/cache/cache_http.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/bin/varnishd/cache/cache_http.c b/bin/varnishd/cache/cache_http.c +index 23eaa0b183..070ead2e6b 100644 +--- a/bin/varnishd/cache/cache_http.c ++++ b/bin/varnishd/cache/cache_http.c +@@ -212,7 +212,8 @@ http_Proto(struct http *to) + + fm = to->hd[HTTP_HDR_PROTO].b; + +- if ((fm[0] == 'H' || fm[0] == 'h') && ++ if (fm != NULL && ++ (fm[0] == 'H' || fm[0] == 'h') && + (fm[1] == 'T' || fm[1] == 't') && + (fm[2] == 'T' || fm[2] == 't') && + (fm[3] == 'P' || fm[3] == 'p') && diff --git a/CVE-2019-15892-3.patch b/CVE-2019-15892-3.patch new file mode 100644 index 0000000..f47a3f2 --- /dev/null +++ b/CVE-2019-15892-3.patch @@ -0,0 +1,48 @@ +From 3dc8c15adc23456f494fd23455b2251efe275eda Mon Sep 17 00:00:00 2001 +From: Martin Blix Grydeland +Date: Thu, 15 Aug 2019 10:56:58 +0200 +Subject: [PATCH] Fix http1_splitline parsing of 2 field HTTP proto lines using + NLNL + +When parsing a request like this, "GET /\n\n", the first NL would be +overwritten by nul guard inserted after the 2nd field, and the second NL +would be overwritten by the nul guard after the missing 3rd field. This +would cause http1_dissect_hdrs to attempt to decode the body as headers. +--- + bin/varnishd/http1/cache_http1_proto.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c +index 5d99da47a8..af9ca3898c 100644 +--- a/bin/varnishd/http1/cache_http1_proto.c ++++ b/bin/varnishd/http1/cache_http1_proto.c +@@ -224,7 +224,7 @@ static uint16_t + http1_splitline(struct http *hp, struct http_conn *htc, const int *hf, + unsigned maxhdr) + { +- char *p; ++ char *p, *q; + int i; + + assert(hf == HTTP1_Req || hf == HTTP1_Resp); +@@ -265,14 +265,19 @@ http1_splitline(struct http *hp, struct http_conn *htc, const int *hf, + hp->hd[hf[1]].e = p; + if (!Tlen(hp->hd[hf[1]])) + return (400); +- *p++ = '\0'; + + /* Skip SP */ ++ q = p; + for (; vct_issp(*p); p++) { + if (vct_isctl(*p)) + return (400); + } + hp->hd[hf[2]].b = p; ++ if (q < p) ++ *q = '\0'; /* Nul guard for the 2nd field. If q == p ++ * (the third optional field is not ++ * present), the last nul guard will ++ * cover this field. */ + + /* Third field is optional and cannot contain CTL except TAB */ + for (; p < htc->rxbuf_e && !vct_iscrlf(p, htc->rxbuf_e); p++) { diff --git a/CVE-2019-15892-4.patch b/CVE-2019-15892-4.patch new file mode 100644 index 0000000..00e8667 --- /dev/null +++ b/CVE-2019-15892-4.patch @@ -0,0 +1,46 @@ +From 73befed1a6950f5312e3a422dde82a7bb5a8bbe3 Mon Sep 17 00:00:00 2001 +From: Martin Blix Grydeland +Date: Thu, 15 Aug 2019 11:16:22 +0200 +Subject: [PATCH] Do not set the proto txt.b value when third field is missing + +In http1_splitline, if the third field is missing, we would still set the +txt.b value to where the field would have been, with a NULL txt.e +entry. This would cause http_Proto to attempt to parse the values +there. Fix this by only setting the .b and .e if the third field was +present. +--- + bin/varnishd/http1/cache_http1_proto.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c +index af9ca3898c..e55555bf19 100644 +--- a/bin/varnishd/http1/cache_http1_proto.c ++++ b/bin/varnishd/http1/cache_http1_proto.c +@@ -272,7 +272,6 @@ http1_splitline(struct http *hp, struct http_conn *htc, const int *hf, + if (vct_isctl(*p)) + return (400); + } +- hp->hd[hf[2]].b = p; + if (q < p) + *q = '\0'; /* Nul guard for the 2nd field. If q == p + * (the third optional field is not +@@ -280,13 +279,15 @@ http1_splitline(struct http *hp, struct http_conn *htc, const int *hf, + * cover this field. */ + + /* Third field is optional and cannot contain CTL except TAB */ ++ q = p; + for (; p < htc->rxbuf_e && !vct_iscrlf(p, htc->rxbuf_e); p++) { +- if (vct_isctl(*p) && !vct_issp(*p)) { +- hp->hd[hf[2]].b = NULL; ++ if (vct_isctl(*p) && !vct_issp(*p)) + return (400); +- } + } +- hp->hd[hf[2]].e = p; ++ if (p > q) { ++ hp->hd[hf[2]].b = q; ++ hp->hd[hf[2]].e = p; ++ } + + /* Skip CRLF */ + i = vct_iscrlf(p, htc->rxbuf_e); diff --git a/CVE-2019-15892-5.patch b/CVE-2019-15892-5.patch new file mode 100644 index 0000000..a4f05a3 --- /dev/null +++ b/CVE-2019-15892-5.patch @@ -0,0 +1,41 @@ +From 3eb7a04587d235bec5a312d3eae652abd8a63a14 Mon Sep 17 00:00:00 2001 +From: Martin Blix Grydeland +Date: Thu, 15 Aug 2019 11:19:41 +0200 +Subject: [PATCH] Be stricter on final [CR]LF parsing in http1_dissect_hdrs + +The end of http1_dissect_hdrs ends with skipping over the final [CR]LF +that marks then end of the headers. Currently that skip is optional, that +is, it is skipped if it was present. + +This patch adds an assert if the final [CR]LF is not found when finishing +the parsing. HTTP1_Complete guarantees that it is there, if not we would +not have started parsing the request or response in the first place, and +if it is missing, there must be an error in the parsing leading up to it. +--- + bin/varnishd/http1/cache_http1_proto.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c +index e55555bf19..e5203a94ec 100644 +--- a/bin/varnishd/http1/cache_http1_proto.c ++++ b/bin/varnishd/http1/cache_http1_proto.c +@@ -117,6 +117,7 @@ http1_dissect_hdrs(struct http *hp, char + unsigned maxhdr) + { + char *q, *r; ++ int i; + + assert(p > htc->rxbuf_b); + assert(p <= htc->rxbuf_e); +@@ -213,8 +214,9 @@ http1_dissect_hdrs(struct http *hp, char + break; + } + } +- if (p < htc->rxbuf_e) +- p += vct_skipcrlf(p); ++ i = vct_iscrlf(p, htc->rxbuf_e); ++ assert(i > 0); /* HTTP1_Complete guarantees this */ ++ p += i; + HTC_RxPipeline(htc, p); + htc->rxbuf_e = p; + return (0); diff --git a/CVE-2019-15892-6.patch b/CVE-2019-15892-6.patch new file mode 100644 index 0000000..1b5f94c --- /dev/null +++ b/CVE-2019-15892-6.patch @@ -0,0 +1,60 @@ +From bf18bb21ef9c269edadac549b7b7d43fdb87051c Mon Sep 17 00:00:00 2001 +From: Martin Blix Grydeland +Date: Thu, 15 Aug 2019 12:54:50 +0200 +Subject: [PATCH] Fix HTTP header line continuation in http1_dissect_hdrs + +When clearing the [CR]LF in a line continuation, we would continue +replacing any [CR|LF|HT|SP] characters up until the end of the buffer, +possibly overwriting later [CR]LFs. Fix this by only unconditionally +overwrite one [CR]LF, and then only replace [HT|SP] with SP to keep with +previous behaviour. + +Update r00494.vtc to include multiple line continuations to make sure they +are parsed. +--- + bin/varnishd/http1/cache_http1_proto.c | 4 +++- + bin/varnishtest/tests/r00494.vtc | 11 +++++++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c +index e5203a94ec..e373d7d5d5 100644 +--- a/bin/varnishd/http1/cache_http1_proto.c ++++ b/bin/varnishd/http1/cache_http1_proto.c +@@ -146,7 +146,9 @@ http1_dissect_hdrs(struct http *hp, char *p, struct http_conn *htc, + break; + + /* Clear line continuation LWS to spaces */ +- while (q < htc->rxbuf_e && vct_islws(*q)) ++ while (q < r) ++ *q++ = ' '; ++ while (q < htc->rxbuf_e && vct_issp(*q)) + *q++ = ' '; + } + +diff --git a/bin/varnishtest/tests/r00494.vtc b/bin/varnishtest/tests/r00494.vtc +index cb0bbe8d7b..e0db8a4bf8 100644 +--- a/bin/varnishtest/tests/r00494.vtc ++++ b/bin/varnishtest/tests/r00494.vtc +@@ -6,6 +6,11 @@ server s1 { + rxreq + txresp -hdr {Foo: bar, + barf: fail} -body "xxx" ++ ++ rxreq ++ txresp -hdr {Foo: bar, ++ ++ barf: fail} -body "xxx" + } -start + + varnish v1 -vcl+backend { +@@ -21,4 +26,10 @@ client c1 { + expect resp.http.bar == "bar, barf: fail" + expect resp.http.barf == + expect resp.http.foo == ++ ++ txreq -url /2 ++ rxresp ++ expect resp.http.bar == "bar, barf: fail" ++ expect resp.http.barf == ++ expect resp.http.foo == + } -run diff --git a/CVE-2019-15892-7.patch b/CVE-2019-15892-7.patch new file mode 100644 index 0000000..3141f34 --- /dev/null +++ b/CVE-2019-15892-7.patch @@ -0,0 +1,45 @@ +From ea1d09b3b8ee8ad667b9d680013ed9448e0727dc Mon Sep 17 00:00:00 2001 +From: Martin Blix Grydeland +Date: Thu, 15 Aug 2019 14:06:00 +0200 +Subject: [PATCH] Add a test case covering some HTTP/1 parsing corner cases + +--- + bin/varnishtest/tests/b00067.vtc | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + create mode 100644 bin/varnishtest/tests/b00067.vtc + +diff --git a/bin/varnishtest/tests/b00067.vtc b/bin/varnishtest/tests/b00067.vtc +new file mode 100644 +index 0000000000..2167c9483f +--- /dev/null ++++ b/bin/varnishtest/tests/b00067.vtc +@@ -0,0 +1,29 @@ ++varnishtest "HTTP/1 parsing checks" ++ ++# Some tricky requests that have been known to cause parsing errors in the past. ++ ++server s1 { ++ rxreq ++ txresp ++} -start ++ ++varnish v1 -vcl+backend { ++} -start ++ ++# This test checks a bug that was dependent on the contents of the buffer left behind ++# by the previous request ++client c1 { ++ send "GET / HTTP/1.1\r\nHost: asdf.com\r\nFoo: baar\r\n\r\n\r\n\r\n\r\n" ++ rxresp ++ send "GET / HTTP/1.1\r\nHost: asdf.com\r\nAsdf: b\n \r\n\r\nSj\r" ++ rxresp ++ expect resp.status == 200 ++} -run ++ ++# This tests that the line continuation handling doesn't clear out the end of headers ++# [CR]LF ++client c1 { ++ send "GET / HTTP/1.1\r\nHost: asdf.com\r\nAsdf: b\n \r\n\r\nSj" ++ rxresp ++ expect resp.status == 200 ++} -run diff --git a/CVE-2019-15892-8.patch b/CVE-2019-15892-8.patch new file mode 100644 index 0000000..cf48e34 --- /dev/null +++ b/CVE-2019-15892-8.patch @@ -0,0 +1,36 @@ +From 6da64a47beff44ecdb45c82b033811f2d19819af Mon Sep 17 00:00:00 2001 +From: Martin Blix Grydeland +Date: Fri, 23 Aug 2019 13:53:42 +0200 +Subject: [PATCH] Avoid some code duplication + +Apply some adjustments to recent patches based off of review by Nils +Goroll at UPLEX (@nigoroll) +--- + bin/varnishd/http1/cache_http1_proto.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c +index 61563b8ead..31c75ed88d 100644 +--- a/bin/varnishd/http1/cache_http1_proto.c ++++ b/bin/varnishd/http1/cache_http1_proto.c +@@ -128,15 +128,16 @@ http1_dissect_hdrs(struct http *hp, char *p, struct http_conn *htc, + r++; + continue; + } +- if (!vct_iscrlf(r, htc->rxbuf_e)) { ++ i = vct_iscrlf(r, htc->rxbuf_e); ++ if (i == 0) { + VSLb(hp->vsl, SLT_BogoHeader, + "Header has ctrl char 0x%02x", *r); + return (400); + } + q = r; +- assert(r < htc->rxbuf_e); +- r = vct_skipcrlf(r, htc->rxbuf_e); +- if (r >= htc->rxbuf_e) ++ r += i; ++ assert(r <= htc->rxbuf_e); ++ if (r == htc->rxbuf_e) + break; + if (vct_iscrlf(r, htc->rxbuf_e)) + break; diff --git a/varnish.spec b/varnish.spec index d75279a..b140112 100644 --- a/varnish.spec +++ b/varnish.spec @@ -1,7 +1,7 @@ Name: varnish Summary: A web application accelerator Version: 6.0.0 -Release: 5 +Release: 6 License: BSD URL: https://www.varnish-cache.org/ Source0: http://varnish-cache.org/_downloads/varnish-%{version}.tgz -- Gitee From ab43cd598b9726474eb721e243ec251be74fbbe5 Mon Sep 17 00:00:00 2001 From: small_leek Date: Tue, 19 Jan 2021 19:43:56 +0800 Subject: [PATCH 3/3] =?UTF-8?q?=E5=9B=9E=E9=80=80=20'Pull=20Request=20!8?= =?UTF-8?q?=20:=20[sync]=20PR-7:=20Fix=20CVE-2019-15892'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CVE-2019-15892-1.patch | 221 ----------------------------------------- CVE-2019-15892-2.patch | 25 ----- CVE-2019-15892-3.patch | 48 --------- CVE-2019-15892-4.patch | 46 --------- CVE-2019-15892-5.patch | 41 -------- CVE-2019-15892-6.patch | 60 ----------- CVE-2019-15892-7.patch | 45 --------- CVE-2019-15892-8.patch | 36 ------- varnish.spec | 2 +- 9 files changed, 1 insertion(+), 523 deletions(-) delete mode 100644 CVE-2019-15892-1.patch delete mode 100644 CVE-2019-15892-2.patch delete mode 100644 CVE-2019-15892-3.patch delete mode 100644 CVE-2019-15892-4.patch delete mode 100644 CVE-2019-15892-5.patch delete mode 100644 CVE-2019-15892-6.patch delete mode 100644 CVE-2019-15892-7.patch delete mode 100644 CVE-2019-15892-8.patch diff --git a/CVE-2019-15892-1.patch b/CVE-2019-15892-1.patch deleted file mode 100644 index 35d58b6..0000000 --- a/CVE-2019-15892-1.patch +++ /dev/null @@ -1,221 +0,0 @@ -From 177e17c8f129c58daeeb98055761ee65ab5c3dfc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Alf-Andr=C3=A9=20Walla?= -Date: Tue, 13 Aug 2019 12:52:39 +0200 -Subject: [PATCH] Add bounds-checking to vct_iscrlf and vct_skipcrlf - -The macros vct_iscrlf() and vct_skipcrlf() may look at one or two bytes -after its pointer value, causing OOB reads. This would allow -http1_dissect_hdrs to wrongly see a CRLF when one wasn't there (the last -LF left over in the bufer from the previous request). - -Change the macros to inline functions, and harden them by always sending -the end pointer so that they can't overflow. - -vct_iscrlf() will return an int value of 0 for no [CR]LF, 1 for LF and 2 -for CRLF. - -vct_skipcrlf() will return the pointer having been skipped 0, 1 or 2 -bytes. ---- - bin/varnishd/http1/cache_http1_proto.c | 16 +++++++++------- - bin/varnishtest/vtc_http.c | 26 ++++++++++++++------------ - include/vct.h | 19 +++++++++++++++++-- - bin/varnishtest/vtc_subr.c | 3 ++- - 4 files changed, 42 insertions(+), 22 deletions(-) - -diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c -index dd81863d32..5d99da47a8 100644 ---- a/bin/varnishd/http1/cache_http1_proto.c -+++ b/bin/varnishd/http1/cache_http1_proto.c -@@ -121,31 +121,31 @@ http1_dissect_hdrs(struct http *hp, char *p, struct http_conn *htc, - - /* Find end of next header */ - q = r = p; -- if (vct_iscrlf(p)) -+ if (vct_iscrlf(p, htc->rxbuf_e)) - break; - while (r < htc->rxbuf_e) { - if (!vct_isctl(*r) || vct_issp(*r)) { - r++; - continue; - } -- if (!vct_iscrlf(r)) { -+ if (!vct_iscrlf(r, htc->rxbuf_e)) { - VSLb(hp->vsl, SLT_BogoHeader, - "Header has ctrl char 0x%02x", *r); - return (400); - } - q = r; - assert(r < htc->rxbuf_e); -- r += vct_skipcrlf(r); -+ r = vct_skipcrlf(r, htc->rxbuf_e); - if (r >= htc->rxbuf_e) - break; -- if (vct_iscrlf(r)) -+ if (vct_iscrlf(r, htc->rxbuf_e)) - break; - /* If line does not continue: got it. */ - if (!vct_issp(*r)) - break; - - /* Clear line continuation LWS to spaces */ -- while (vct_islws(*q)) -+ while (q < htc->rxbuf_e && vct_islws(*q)) - *q++ = ' '; - } - -@@ -275,7 +275,7 @@ http1_splitline(struct http *hp, struct http_conn *htc, const int *hf, - hp->hd[hf[2]].b = p; - - /* Third field is optional and cannot contain CTL except TAB */ -- for (; !vct_iscrlf(p); p++) { -+ for (; p < htc->rxbuf_e && !vct_iscrlf(p, htc->rxbuf_e); p++) { - if (vct_isctl(*p) && !vct_issp(*p)) { - hp->hd[hf[2]].b = NULL; - return (400); -@@ -284,7 +284,9 @@ http1_splitline(struct http *hp, struct http_conn *htc, const int *hf, - hp->hd[hf[2]].e = p; - - /* Skip CRLF */ -- i = vct_skipcrlf(p); -+ i = vct_iscrlf(p, htc->rxbuf_e); -+ if (!i) -+ return (400); - *p = '\0'; - p += i; - -diff --git a/bin/varnishtest/vtc_http.c b/bin/varnishtest/vtc_http.c -index 616cb459e1..e17643f8eb 100644 ---- a/bin/varnishtest/vtc_http.c -+++ b/bin/varnishtest/vtc_http.c -@@ -409,6 +409,7 @@ http_splitheader(struct http *hp, int req) - char *p, *q, **hh; - int n; - char buf[20]; -+ const char* rxbuf_e = &hp->rxbuf[hp->prxbuf]; - - CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC); - if (req) { -@@ -428,20 +429,20 @@ http_splitheader(struct http *hp, int req) - hh[n++] = p; - while (!vct_islws(*p)) - p++; -- AZ(vct_iscrlf(p)); -+ AZ(vct_iscrlf(p, rxbuf_e)); - *p++ = '\0'; - - /* URL/STATUS */ - while (vct_issp(*p)) /* XXX: H space only */ - p++; -- AZ(vct_iscrlf(p)); -+ AZ(vct_iscrlf(p, rxbuf_e)); - hh[n++] = p; - while (!vct_islws(*p)) - p++; -- if (vct_iscrlf(p)) { -+ if (vct_iscrlf(p, rxbuf_e)) { - hh[n++] = NULL; - q = p; -- p += vct_skipcrlf(p); -+ p = vct_skipcrlf(p, rxbuf_e); - *q = '\0'; - } else { - *p++ = '\0'; -@@ -449,26 +450,26 @@ http_splitheader(struct http *hp, int req) - while (vct_issp(*p)) /* XXX: H space only */ - p++; - hh[n++] = p; -- while (!vct_iscrlf(p)) -+ while (!vct_iscrlf(p, rxbuf_e)) - p++; - q = p; -- p += vct_skipcrlf(p); -+ p = vct_skipcrlf(p, rxbuf_e); - *q = '\0'; - } - assert(n == 3); - - while (*p != '\0') { - assert(n < MAX_HDR); -- if (vct_iscrlf(p)) -+ if (vct_iscrlf(p, rxbuf_e)) - break; - hh[n++] = p++; -- while (*p != '\0' && !vct_iscrlf(p)) -+ while (*p != '\0' && !vct_iscrlf(p, rxbuf_e)) - p++; - q = p; -- p += vct_skipcrlf(p); -+ p = vct_skipcrlf(p, rxbuf_e); - *q = '\0'; - } -- p += vct_skipcrlf(p); -+ p = vct_skipcrlf(p, rxbuf_e); - assert(*p == '\0'); - - for (n = 0; n < 3 || hh[n] != NULL; n++) { -@@ -564,15 +565,16 @@ http_rxchunk(struct http *hp) - vtc_dump(hp->vl, 4, "chunk", hp->rxbuf + l, i); - } - l = hp->prxbuf; -+ - if (http_rxchar(hp, 2, 0) < 0) - return (-1); -- if (!vct_iscrlf(hp->rxbuf + l)) { -+ if (!vct_iscrlf(&hp->rxbuf[l], &hp->rxbuf[hp->prxbuf])) { - vtc_log(hp->vl, hp->fatal, - "Wrong chunk tail[0] = %02x", - hp->rxbuf[l] & 0xff); - return (-1); - } -- if (!vct_iscrlf(hp->rxbuf + l + 1)) { -+ if (!vct_iscrlf(&hp->rxbuf[l + 1], &hp->rxbuf[hp->prxbuf])) { - vtc_log(hp->vl, hp->fatal, - "Wrong chunk tail[1] = %02x", - hp->rxbuf[l + 1] & 0xff); -diff --git a/include/vct.h b/include/vct.h -index 24143a3322..1b7ffbd4f5 100644 ---- a/include/vct.h -+++ b/include/vct.h -@@ -76,7 +76,22 @@ vct_is(int x, uint16_t y) - #define vct_isxmlname(x) vct_is(x, VCT_XMLNAMESTART | VCT_XMLNAME) - #define vct_istchar(x) vct_is(x, VCT_ALPHA | VCT_DIGIT | VCT_TCHAR) - --#define vct_iscrlf(p) (((p)[0] == 0x0d && (p)[1] == 0x0a) || (p)[0] == 0x0a) -+static inline int -+vct_iscrlf(const char* p, const char* end) -+{ -+ assert(p <= end); -+ if (p == end) -+ return (0); -+ if ((p[0] == 0x0d && (p+1 < end) && p[1] == 0x0a)) // CR LF -+ return (2); -+ if (p[0] == 0x0a) // LF -+ return (1); -+ return (0); -+} - - /* NB: VCT always operate in ASCII, don't replace 0x0d with \r etc. */ --#define vct_skipcrlf(p) ((p)[0] == 0x0d && (p)[1] == 0x0a ? 2 : 1) -+static inline char* -+vct_skipcrlf(char* p, const char* end) -+{ -+ return (p + vct_iscrlf(p, end)); -+} -diff --git a/bin/varnishtest/vtc_subr.c b/bin/varnishtest/vtc_subr.c -index 2c1439a..f200981 100644 ---- a/bin/varnishtest/vtc_subr.c -+++ b/bin/varnishtest/vtc_subr.c -@@ -33,10 +33,11 @@ - #include - #include - -+#include "vtc.h" -+ - #include "vct.h" - #include "vnum.h" - #include "vre.h" --#include "vtc.h" - - struct vsb * - vtc_hex_to_bin(struct vtclog *vl, const char *arg) diff --git a/CVE-2019-15892-2.patch b/CVE-2019-15892-2.patch deleted file mode 100644 index d519f95..0000000 --- a/CVE-2019-15892-2.patch +++ /dev/null @@ -1,25 +0,0 @@ -From f98c250300bd7303bb7b706384ec153101a3eab0 Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Thu, 15 Aug 2019 10:44:00 +0200 -Subject: [PATCH] Allow a NULL value in http_Proto - -The proto field is optional in HTTP, so it may not be set. Set the proto -to 0 also for a NULL value instead of segfaulting if it were NULL. ---- - bin/varnishd/cache/cache_http.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/bin/varnishd/cache/cache_http.c b/bin/varnishd/cache/cache_http.c -index 23eaa0b183..070ead2e6b 100644 ---- a/bin/varnishd/cache/cache_http.c -+++ b/bin/varnishd/cache/cache_http.c -@@ -212,7 +212,8 @@ http_Proto(struct http *to) - - fm = to->hd[HTTP_HDR_PROTO].b; - -- if ((fm[0] == 'H' || fm[0] == 'h') && -+ if (fm != NULL && -+ (fm[0] == 'H' || fm[0] == 'h') && - (fm[1] == 'T' || fm[1] == 't') && - (fm[2] == 'T' || fm[2] == 't') && - (fm[3] == 'P' || fm[3] == 'p') && diff --git a/CVE-2019-15892-3.patch b/CVE-2019-15892-3.patch deleted file mode 100644 index f47a3f2..0000000 --- a/CVE-2019-15892-3.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 3dc8c15adc23456f494fd23455b2251efe275eda Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Thu, 15 Aug 2019 10:56:58 +0200 -Subject: [PATCH] Fix http1_splitline parsing of 2 field HTTP proto lines using - NLNL - -When parsing a request like this, "GET /\n\n", the first NL would be -overwritten by nul guard inserted after the 2nd field, and the second NL -would be overwritten by the nul guard after the missing 3rd field. This -would cause http1_dissect_hdrs to attempt to decode the body as headers. ---- - bin/varnishd/http1/cache_http1_proto.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c -index 5d99da47a8..af9ca3898c 100644 ---- a/bin/varnishd/http1/cache_http1_proto.c -+++ b/bin/varnishd/http1/cache_http1_proto.c -@@ -224,7 +224,7 @@ static uint16_t - http1_splitline(struct http *hp, struct http_conn *htc, const int *hf, - unsigned maxhdr) - { -- char *p; -+ char *p, *q; - int i; - - assert(hf == HTTP1_Req || hf == HTTP1_Resp); -@@ -265,14 +265,19 @@ http1_splitline(struct http *hp, struct http_conn *htc, const int *hf, - hp->hd[hf[1]].e = p; - if (!Tlen(hp->hd[hf[1]])) - return (400); -- *p++ = '\0'; - - /* Skip SP */ -+ q = p; - for (; vct_issp(*p); p++) { - if (vct_isctl(*p)) - return (400); - } - hp->hd[hf[2]].b = p; -+ if (q < p) -+ *q = '\0'; /* Nul guard for the 2nd field. If q == p -+ * (the third optional field is not -+ * present), the last nul guard will -+ * cover this field. */ - - /* Third field is optional and cannot contain CTL except TAB */ - for (; p < htc->rxbuf_e && !vct_iscrlf(p, htc->rxbuf_e); p++) { diff --git a/CVE-2019-15892-4.patch b/CVE-2019-15892-4.patch deleted file mode 100644 index 00e8667..0000000 --- a/CVE-2019-15892-4.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 73befed1a6950f5312e3a422dde82a7bb5a8bbe3 Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Thu, 15 Aug 2019 11:16:22 +0200 -Subject: [PATCH] Do not set the proto txt.b value when third field is missing - -In http1_splitline, if the third field is missing, we would still set the -txt.b value to where the field would have been, with a NULL txt.e -entry. This would cause http_Proto to attempt to parse the values -there. Fix this by only setting the .b and .e if the third field was -present. ---- - bin/varnishd/http1/cache_http1_proto.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c -index af9ca3898c..e55555bf19 100644 ---- a/bin/varnishd/http1/cache_http1_proto.c -+++ b/bin/varnishd/http1/cache_http1_proto.c -@@ -272,7 +272,6 @@ http1_splitline(struct http *hp, struct http_conn *htc, const int *hf, - if (vct_isctl(*p)) - return (400); - } -- hp->hd[hf[2]].b = p; - if (q < p) - *q = '\0'; /* Nul guard for the 2nd field. If q == p - * (the third optional field is not -@@ -280,13 +279,15 @@ http1_splitline(struct http *hp, struct http_conn *htc, const int *hf, - * cover this field. */ - - /* Third field is optional and cannot contain CTL except TAB */ -+ q = p; - for (; p < htc->rxbuf_e && !vct_iscrlf(p, htc->rxbuf_e); p++) { -- if (vct_isctl(*p) && !vct_issp(*p)) { -- hp->hd[hf[2]].b = NULL; -+ if (vct_isctl(*p) && !vct_issp(*p)) - return (400); -- } - } -- hp->hd[hf[2]].e = p; -+ if (p > q) { -+ hp->hd[hf[2]].b = q; -+ hp->hd[hf[2]].e = p; -+ } - - /* Skip CRLF */ - i = vct_iscrlf(p, htc->rxbuf_e); diff --git a/CVE-2019-15892-5.patch b/CVE-2019-15892-5.patch deleted file mode 100644 index a4f05a3..0000000 --- a/CVE-2019-15892-5.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 3eb7a04587d235bec5a312d3eae652abd8a63a14 Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Thu, 15 Aug 2019 11:19:41 +0200 -Subject: [PATCH] Be stricter on final [CR]LF parsing in http1_dissect_hdrs - -The end of http1_dissect_hdrs ends with skipping over the final [CR]LF -that marks then end of the headers. Currently that skip is optional, that -is, it is skipped if it was present. - -This patch adds an assert if the final [CR]LF is not found when finishing -the parsing. HTTP1_Complete guarantees that it is there, if not we would -not have started parsing the request or response in the first place, and -if it is missing, there must be an error in the parsing leading up to it. ---- - bin/varnishd/http1/cache_http1_proto.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c -index e55555bf19..e5203a94ec 100644 ---- a/bin/varnishd/http1/cache_http1_proto.c -+++ b/bin/varnishd/http1/cache_http1_proto.c -@@ -117,6 +117,7 @@ http1_dissect_hdrs(struct http *hp, char - unsigned maxhdr) - { - char *q, *r; -+ int i; - - assert(p > htc->rxbuf_b); - assert(p <= htc->rxbuf_e); -@@ -213,8 +214,9 @@ http1_dissect_hdrs(struct http *hp, char - break; - } - } -- if (p < htc->rxbuf_e) -- p += vct_skipcrlf(p); -+ i = vct_iscrlf(p, htc->rxbuf_e); -+ assert(i > 0); /* HTTP1_Complete guarantees this */ -+ p += i; - HTC_RxPipeline(htc, p); - htc->rxbuf_e = p; - return (0); diff --git a/CVE-2019-15892-6.patch b/CVE-2019-15892-6.patch deleted file mode 100644 index 1b5f94c..0000000 --- a/CVE-2019-15892-6.patch +++ /dev/null @@ -1,60 +0,0 @@ -From bf18bb21ef9c269edadac549b7b7d43fdb87051c Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Thu, 15 Aug 2019 12:54:50 +0200 -Subject: [PATCH] Fix HTTP header line continuation in http1_dissect_hdrs - -When clearing the [CR]LF in a line continuation, we would continue -replacing any [CR|LF|HT|SP] characters up until the end of the buffer, -possibly overwriting later [CR]LFs. Fix this by only unconditionally -overwrite one [CR]LF, and then only replace [HT|SP] with SP to keep with -previous behaviour. - -Update r00494.vtc to include multiple line continuations to make sure they -are parsed. ---- - bin/varnishd/http1/cache_http1_proto.c | 4 +++- - bin/varnishtest/tests/r00494.vtc | 11 +++++++++++ - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c -index e5203a94ec..e373d7d5d5 100644 ---- a/bin/varnishd/http1/cache_http1_proto.c -+++ b/bin/varnishd/http1/cache_http1_proto.c -@@ -146,7 +146,9 @@ http1_dissect_hdrs(struct http *hp, char *p, struct http_conn *htc, - break; - - /* Clear line continuation LWS to spaces */ -- while (q < htc->rxbuf_e && vct_islws(*q)) -+ while (q < r) -+ *q++ = ' '; -+ while (q < htc->rxbuf_e && vct_issp(*q)) - *q++ = ' '; - } - -diff --git a/bin/varnishtest/tests/r00494.vtc b/bin/varnishtest/tests/r00494.vtc -index cb0bbe8d7b..e0db8a4bf8 100644 ---- a/bin/varnishtest/tests/r00494.vtc -+++ b/bin/varnishtest/tests/r00494.vtc -@@ -6,6 +6,11 @@ server s1 { - rxreq - txresp -hdr {Foo: bar, - barf: fail} -body "xxx" -+ -+ rxreq -+ txresp -hdr {Foo: bar, -+ -+ barf: fail} -body "xxx" - } -start - - varnish v1 -vcl+backend { -@@ -21,4 +26,10 @@ client c1 { - expect resp.http.bar == "bar, barf: fail" - expect resp.http.barf == - expect resp.http.foo == -+ -+ txreq -url /2 -+ rxresp -+ expect resp.http.bar == "bar, barf: fail" -+ expect resp.http.barf == -+ expect resp.http.foo == - } -run diff --git a/CVE-2019-15892-7.patch b/CVE-2019-15892-7.patch deleted file mode 100644 index 3141f34..0000000 --- a/CVE-2019-15892-7.patch +++ /dev/null @@ -1,45 +0,0 @@ -From ea1d09b3b8ee8ad667b9d680013ed9448e0727dc Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Thu, 15 Aug 2019 14:06:00 +0200 -Subject: [PATCH] Add a test case covering some HTTP/1 parsing corner cases - ---- - bin/varnishtest/tests/b00067.vtc | 29 +++++++++++++++++++++++++++++ - 1 file changed, 29 insertions(+) - create mode 100644 bin/varnishtest/tests/b00067.vtc - -diff --git a/bin/varnishtest/tests/b00067.vtc b/bin/varnishtest/tests/b00067.vtc -new file mode 100644 -index 0000000000..2167c9483f ---- /dev/null -+++ b/bin/varnishtest/tests/b00067.vtc -@@ -0,0 +1,29 @@ -+varnishtest "HTTP/1 parsing checks" -+ -+# Some tricky requests that have been known to cause parsing errors in the past. -+ -+server s1 { -+ rxreq -+ txresp -+} -start -+ -+varnish v1 -vcl+backend { -+} -start -+ -+# This test checks a bug that was dependent on the contents of the buffer left behind -+# by the previous request -+client c1 { -+ send "GET / HTTP/1.1\r\nHost: asdf.com\r\nFoo: baar\r\n\r\n\r\n\r\n\r\n" -+ rxresp -+ send "GET / HTTP/1.1\r\nHost: asdf.com\r\nAsdf: b\n \r\n\r\nSj\r" -+ rxresp -+ expect resp.status == 200 -+} -run -+ -+# This tests that the line continuation handling doesn't clear out the end of headers -+# [CR]LF -+client c1 { -+ send "GET / HTTP/1.1\r\nHost: asdf.com\r\nAsdf: b\n \r\n\r\nSj" -+ rxresp -+ expect resp.status == 200 -+} -run diff --git a/CVE-2019-15892-8.patch b/CVE-2019-15892-8.patch deleted file mode 100644 index cf48e34..0000000 --- a/CVE-2019-15892-8.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 6da64a47beff44ecdb45c82b033811f2d19819af Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Fri, 23 Aug 2019 13:53:42 +0200 -Subject: [PATCH] Avoid some code duplication - -Apply some adjustments to recent patches based off of review by Nils -Goroll at UPLEX (@nigoroll) ---- - bin/varnishd/http1/cache_http1_proto.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c -index 61563b8ead..31c75ed88d 100644 ---- a/bin/varnishd/http1/cache_http1_proto.c -+++ b/bin/varnishd/http1/cache_http1_proto.c -@@ -128,15 +128,16 @@ http1_dissect_hdrs(struct http *hp, char *p, struct http_conn *htc, - r++; - continue; - } -- if (!vct_iscrlf(r, htc->rxbuf_e)) { -+ i = vct_iscrlf(r, htc->rxbuf_e); -+ if (i == 0) { - VSLb(hp->vsl, SLT_BogoHeader, - "Header has ctrl char 0x%02x", *r); - return (400); - } - q = r; -- assert(r < htc->rxbuf_e); -- r = vct_skipcrlf(r, htc->rxbuf_e); -- if (r >= htc->rxbuf_e) -+ r += i; -+ assert(r <= htc->rxbuf_e); -+ if (r == htc->rxbuf_e) - break; - if (vct_iscrlf(r, htc->rxbuf_e)) - break; diff --git a/varnish.spec b/varnish.spec index b140112..d75279a 100644 --- a/varnish.spec +++ b/varnish.spec @@ -1,7 +1,7 @@ Name: varnish Summary: A web application accelerator Version: 6.0.0 -Release: 6 +Release: 5 License: BSD URL: https://www.varnish-cache.org/ Source0: http://varnish-cache.org/_downloads/varnish-%{version}.tgz -- Gitee