Control: tags 870467 + pending

Dear maintainer,

I've prepared an NMU for varnish (versioned as 5.0.0-7.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
diff -Nru varnish-5.0.0/debian/changelog varnish-5.0.0/debian/changelog
--- varnish-5.0.0/debian/changelog	2017-03-02 18:16:05.000000000 +0100
+++ varnish-5.0.0/debian/changelog	2017-08-04 06:43:38.000000000 +0200
@@ -1,3 +1,13 @@
+varnish (5.0.0-7.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Correctly handle bogusly large chunk sizes.
+    This fixes a denial of service attack vector where bogusly large chunk
+    sizes in requests could be used to force restarts of the Varnish server.
+    (Closes: #870467)
+
+ -- Salvatore Bonaccorso <[email protected]>  Fri, 04 Aug 2017 06:43:38 +0200
+
 varnish (5.0.0-7) unstable; urgency=medium
 
   * Remove reload from varnish.service (Closes: #749272)
diff -Nru varnish-5.0.0/debian/patches/5.0-Correctly-handle-bogusly-large-chunk-sizes.patch varnish-5.0.0/debian/patches/5.0-Correctly-handle-bogusly-large-chunk-sizes.patch
--- varnish-5.0.0/debian/patches/5.0-Correctly-handle-bogusly-large-chunk-sizes.patch	1970-01-01 01:00:00.000000000 +0100
+++ varnish-5.0.0/debian/patches/5.0-Correctly-handle-bogusly-large-chunk-sizes.patch	2017-08-04 06:43:38.000000000 +0200
@@ -0,0 +1,109 @@
+From e32377f0455ddf7a7836cc0d21d78906e9938119 Mon Sep 17 00:00:00 2001
+From: Martin Blix Grydeland <[email protected]>
+Date: Thu, 27 Jul 2017 11:52:58 +0200
+Subject: [PATCH] Correctly handle bogusly large chunk sizes
+
+This fixes a denial of service attack vector where bogusly large chunk
+sizes in requests could be used to force restarts of the Varnish
+server.
+
+This is Varnish Security Vulnerability VSV00001
+
+For more information visit: https://varnish-cache.org/security/VSV00001
+
+Fixes: #2379
+---
+ bin/varnishd/http1/cache_http1_vfp.c |  2 +-
+ bin/varnishtest/tests/f00001.vtc     | 67 ++++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+), 1 deletion(-)
+ create mode 100644 bin/varnishtest/tests/f00001.vtc
+
+diff --git a/bin/varnishd/http1/cache_http1_vfp.c b/bin/varnishd/http1/cache_http1_vfp.c
+index b836cd3..ded1550 100644
+--- a/bin/varnishd/http1/cache_http1_vfp.c
++++ b/bin/varnishd/http1/cache_http1_vfp.c
+@@ -155,7 +155,7 @@ v1f_pull_chunked(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr,
+ 		if (q == NULL || *q != '\0')
+ 			return (VFP_Error(vc, "chunked header number syntax"));
+ 		cl = (ssize_t)cll;
+-		if((uintmax_t)cl != cll)
++		if (cl < 0 || (uintmax_t)cl != cll)
+ 			return (VFP_Error(vc, "bogusly large chunk size"));
+ 
+ 		vfe->priv2 = cl;
+diff --git a/bin/varnishtest/tests/f00001.vtc b/bin/varnishtest/tests/f00001.vtc
+new file mode 100644
+index 0000000..46dbe94
+--- /dev/null
++++ b/bin/varnishtest/tests/f00001.vtc
+@@ -0,0 +1,67 @@
++varnishtest "Check that we handle bogusly large chunks correctly"
++
++# Check that the bug has been fixed
++
++server s1 {
++	rxreq
++	txresp
++
++	accept
++	rxreq
++	txresp
++} -start
++
++varnish v1 -vcl+backend {
++} -start
++
++client c1 {
++	send "POST / HTTP/1.1\r\n"
++	send "Transfer-Encoding: chunked\r\n\r\n"
++	send "FFFFFFFFFFFFFFED\r\n"
++	send "0\r\n\r\n"
++
++	rxresp
++	expect resp.status == 503
++} -run
++
++# Check that the published workaround does not cause harm
++
++varnish v1 -cliok "param.set vcc_allow_inline_c true"
++
++varnish v1 -vcl+backend {
++        sub exploit_workaround {
++                # This needs to be defined before your vcl_recv function
++                # Make sure that the runtime parameter vcc_allow_inline_c is set to true
++                if (req.http.transfer-encoding ~ "(?i)chunked") {
++                        C{
++                        struct dummy_req {
++                                unsigned        magic;
++                                int             step;
++                                int             req_body_status;
++                        };
++                        ((struct dummy_req *)ctx->req)->req_body_status = 5;
++                        }C
++
++                        return (synth(503, "Bad request"));
++                }
++        }
++
++        sub vcl_recv {
++                # Call this early in your vcl_recv function
++                call exploit_workaround;
++        }
++}
++
++client c1 {
++	send "POST / HTTP/1.1\r\n"
++	send "Transfer-Encoding: chunked\r\n\r\n"
++	send "FFFFFFFFFFFFFFED\r\n0\r\n\r\n"
++
++	expect_close
++} -run
++
++client c1 {
++	txreq
++	rxresp
++	expect resp.status == 200
++} -run
+-- 
+2.1.4
+
diff -Nru varnish-5.0.0/debian/patches/series varnish-5.0.0/debian/patches/series
--- varnish-5.0.0/debian/patches/series	2017-03-02 18:16:05.000000000 +0100
+++ varnish-5.0.0/debian/patches/series	2017-08-04 06:43:38.000000000 +0200
@@ -1 +1,2 @@
 0001-Ensure-package-builds-reproducibly.patch
+5.0-Correctly-handle-bogusly-large-chunk-sizes.patch

Reply via email to