From: phk Date: Tue, 20 Nov 2007 21:27:20 +0000 (+0000) Subject: Handle unreasonably long (ie: larger than the objects workspace) elements X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67439fcb527fa2463f13b3a5d2abb72973de61e7;p=varnish Handle unreasonably long (ie: larger than the objects workspace) elements gracefully. git-svn-id: svn+ssh://projects.linpro.no/svn/varnish/trunk@2280 d4fa192b-c00b-0410-8231-f00ffab90ce4 --- diff --git a/varnish-cache/bin/varnishd/cache_vrt_esi.c b/varnish-cache/bin/varnishd/cache_vrt_esi.c index 475d7c4d..8eecf242 100644 --- a/varnish-cache/bin/varnishd/cache_vrt_esi.c +++ b/varnish-cache/bin/varnishd/cache_vrt_esi.c @@ -637,6 +637,16 @@ VRT_ESI(struct sess *sp) u = ew->t.e - p; t.b = sp->obj->ws_o->f; t.e = t.b + WS_Reserve(sp->obj->ws_o, 0); + if (t.b + u >= t.e) { + esi_error(ew, p, ew->t.e - p, + "XML 1.0 unreasonably long element"); + WS_Release(sp->obj->ws_o, 0); + ew->dst.b = p; + ew->dst.e = ew->t.e; + esi_addbit(ew); + p = NULL; + continue; + } assert(t.e > t.b + u); /* XXX incredibly long element ? */ memcpy(t.b, p, u); @@ -646,14 +656,22 @@ VRT_ESI(struct sess *sp) q = t.b + u; p = (void*)st2->ptr; while (1) { - if (p >= (char *)st2->ptr + st2->len) - INCOMPL(); - if (q >= t.e) - INCOMPL(); + if (p >= (char *)st2->ptr + st2->len || q >= t.e) { + esi_error(ew, t.b, q - t.b, + "XML 1.0 unreasonably long element"); + WS_Release(sp->obj->ws_o, 0); + ew->dst.b = t.b; + ew->dst.e = q; + esi_addbit(ew); + p = NULL; + break; + } *q = *p++; if (*q++ == '>') break; } + if (p == NULL) + continue; WS_ReleaseP(sp->obj->ws_o, q); t.e = q; @@ -666,10 +684,10 @@ VRT_ESI(struct sess *sp) } if (ew->remflg) - esi_error(ew, NULL, 0, + esi_error(ew, ew->t.e, -1, "ESI 1.0 unterminated element"); if (ew->incmt) - esi_error(ew, NULL, 0, + esi_error(ew, ew->t.e, -1, "ESI 1.0 unterminated