From: phk Date: Sat, 10 Jan 2009 22:27:39 +0000 (+0000) Subject: Don't panic if the chunked header is ridiculously long, just fail X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=578a4be2ec54806e3e8eb27ca65b37c0ce3627c8;p=varnish Don't panic if the chunked header is ridiculously long, just fail the transaction. Fixes #387 git-svn-id: svn+ssh://projects.linpro.no/svn/varnish/trunk@3500 d4fa192b-c00b-0410-8231-f00ffab90ce4 --- diff --git a/varnish-cache/bin/varnishd/cache_fetch.c b/varnish-cache/bin/varnishd/cache_fetch.c index fed31003..ec6a9e6a 100644 --- a/varnish-cache/bin/varnishd/cache_fetch.c +++ b/varnish-cache/bin/varnishd/cache_fetch.c @@ -110,7 +110,8 @@ fetch_chunked(struct sess *sp, struct http_conn *htc) /* If we didn't succeed, add to buffer, try again */ if (q == NULL || q == buf || *q != '\n') { - xxxassert(be > bp); + if (bp >= be) + return (-1); /* * The semantics we need here is "read until you have * received at least one character, but feel free to diff --git a/varnish-cache/bin/varnishtest/tests/r00387.vtc b/varnish-cache/bin/varnishtest/tests/r00387.vtc new file mode 100644 index 00000000..5d2d3522 --- /dev/null +++ b/varnish-cache/bin/varnishtest/tests/r00387.vtc @@ -0,0 +1,22 @@ +# $Id$ + +test "Regression test for #387: too long chunk header" + +server s1 { + rxreq + send "HTTP/1.1 200 Ok\r\n" + send "Transfer-encoding: chunked\r\n" + send "\r\n" + send "004\r\n1234\r\n" + send "000000000000000000001\r\n@\r\n" + send "00000000\r\n" +} -start + +varnish v1 -vcl+backend {} -start + +client c1 { + txreq + rxresp + expect resp.status == 503 +} -run +