From: phk <phk@d4fa192b-c00b-0410-8231-f00ffab90ce4>
Date: Sat, 10 Jan 2009 22:27:39 +0000 (+0000)
Subject: Don't panic if the chunked header is ridiculously long, just fail
X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=578a4be2ec54806e3e8eb27ca65b37c0ce3627c8;p=varnish

Don't panic if the chunked header is ridiculously long, just fail
the transaction.

Fixes #387



git-svn-id: svn+ssh://projects.linpro.no/svn/varnish/trunk@3500 d4fa192b-c00b-0410-8231-f00ffab90ce4
---

diff --git a/varnish-cache/bin/varnishd/cache_fetch.c b/varnish-cache/bin/varnishd/cache_fetch.c
index fed31003..ec6a9e6a 100644
--- a/varnish-cache/bin/varnishd/cache_fetch.c
+++ b/varnish-cache/bin/varnishd/cache_fetch.c
@@ -110,7 +110,8 @@ fetch_chunked(struct sess *sp, struct http_conn *htc)
 
 		/* If we didn't succeed, add to buffer, try again */
 		if (q == NULL || q == buf || *q != '\n') {
-			xxxassert(be > bp);
+			if (bp >= be)
+				return (-1);
 			/*
 			 * The semantics we need here is "read until you have
 			 * received at least one character, but feel free to
diff --git a/varnish-cache/bin/varnishtest/tests/r00387.vtc b/varnish-cache/bin/varnishtest/tests/r00387.vtc
new file mode 100644
index 00000000..5d2d3522
--- /dev/null
+++ b/varnish-cache/bin/varnishtest/tests/r00387.vtc
@@ -0,0 +1,22 @@
+# $Id$
+
+test "Regression test for #387: too long chunk header"
+
+server s1 {
+	rxreq
+	send "HTTP/1.1 200 Ok\r\n"
+	send "Transfer-encoding: chunked\r\n"
+	send "\r\n"
+	send "004\r\n1234\r\n"
+	send "000000000000000000001\r\n@\r\n"
+	send "00000000\r\n"
+} -start
+
+varnish v1 -vcl+backend {} -start
+
+client c1 {
+	txreq
+	rxresp
+	expect resp.status == 503
+} -run
+