[packages/varnish/VARNISH_2_0] CVE-2013-4484 fix backport

glen glen at pld-linux.org
Mon Dec 9 20:36:57 CET 2013 

commit 94dbf1d97a789c337121de18fac5596e7e7ed0e7
Author: Elan Ruusamäe <glen at delfi.ee>
Date:   Mon Dec 9 21:35:43 2013 +0200

    CVE-2013-4484 fix backport
    
    by Ingvar Hagelund from
    https://bugzilla.redhat.com/show_bug.cgi?id=1025127

 varnish.fix_CVE-2013-4484.patch.txt | 145 ++++++++++++++++++++++++++++++++++++
 1 file changed, 145 insertions(+)
---
diff --git a/varnish.fix_CVE-2013-4484.patch.txt b/varnish.fix_CVE-2013-4484.patch.txt
new file mode 100644
index 0000000..d4c4807
--- /dev/null
+++ b/varnish.fix_CVE-2013-4484.patch.txt
@@ -0,0 +1,145 @@
+diff -Naur ../varnish-2.0.6.orig/bin/varnishd/cache_center.c ./bin/varnishd/cache_center.c
+--- ../varnish-2.0.6.orig/bin/varnishd/cache_center.c	2009-12-16 09:50:50.000000000 +0100
++++ ./bin/varnishd/cache_center.c	2013-11-05 12:28:50.333308473 +0100
+@@ -879,9 +879,12 @@
+ static int
+ cnt_start(struct sess *sp)
+ {
+-	int done;
++	int err_code;
+ 	char *p;
+-	const char *r = "HTTP/1.1 100 Continue\r\n\r\n";
++	const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n";
++	const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n";
++	const char *r_413 = "HTTP/1.1 413 Request Entity Too Large\r\n\r\n";
++	const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n";
+ 
+ 	CHECK_OBJ_NOTNULL(sp, SESS_MAGIC);
+ 	AZ(sp->restarts);
+@@ -904,10 +907,14 @@
+ 	sp->wrk->vcl = NULL;
+ 
+ 	http_Setup(sp->http, sp->ws);
+-	done = http_DissectRequest(sp);
++	err_code = http_DissectRequest(sp);
+ 
+ 	/* If we could not even parse the request, just close */
+-	if (done < 0) {
++	if (err_code == 400)
++		(void)write(sp->fd, r_400, strlen(r_400));
++	else if (err_code == 413)
++		(void)write(sp->fd, r_413, strlen(r_413));
++	if (err_code != 0) {
+ 		sp->step = STP_DONE;
+ 		vca_close_session(sp, "junk");
+ 		return (0);
+@@ -919,12 +926,6 @@
+ 	/* Catch original request, before modification */
+ 	*sp->http0 = *sp->http;
+ 
+-	if (done != 0) {
+-		sp->err_code = done;
+-		sp->step = STP_ERROR;
+-		return (0);
+-	}
+-
+ 	sp->doclose = http_DoConnection(sp->http);
+ 
+ 	/* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */
+@@ -934,13 +935,14 @@
+ 	 */
+ 	if (http_GetHdr(sp->http, H_Expect, &p)) {
+ 		if (strcmp(p, "100-continue")) {
+-			sp->err_code = 417;
+-			sp->step = STP_ERROR;
++			(void)write(sp->fd, r_417, strlen(r_417));
++			sp->step = STP_DONE;
++			vca_close_session(sp, "junk");
+ 			return (0);
+ 		}
+ 
+ 		/* XXX: Don't bother with write failures for now */
+-		(void)write(sp->fd, r, strlen(r));
++		(void)write(sp->fd, r_100, strlen(r_100));
+ 		/* XXX: When we do ESI includes, this is not removed
+ 		 * XXX: because we use http0 as our basis.  Believed
+ 		 * XXX: safe, but potentially confusing.
+diff -Naur ../varnish-2.0.6.orig/bin/varnishd/cache_http.c ./bin/varnishd/cache_http.c
+--- ../varnish-2.0.6.orig/bin/varnishd/cache_http.c	2009-10-13 11:05:39.000000000 +0200
++++ ./bin/varnishd/cache_http.c	2013-11-05 11:23:39.809565475 +0100
+@@ -464,6 +464,28 @@
+ 
+ /*--------------------------------------------------------------------*/
+ 
++static int
++htc_request_check_host_hdr(struct http *hp)
++{
++        int u;
++        int seen_host = 0;
++        for (u = HTTP_HDR_FIRST; u < hp->nhd; u++) {
++                if (hp->hd[u].b == NULL)
++                        continue;
++                AN(hp->hd[u].b);
++                AN(hp->hd[u].e);
++                if (http_IsHdr(&hp->hd[u], H_Host)) {
++                        if (seen_host) {
++                                return (400);
++                        }
++                        seen_host = 1;
++                }
++        }
++        return (0);
++}
++
++/*--------------------------------------------------------------------*/
++
+ static void
+ http_ProtoVer(struct http *hp)
+ {
+@@ -501,6 +523,12 @@
+ 		return (i);
+ 	}
+ 	http_ProtoVer(hp);
++
++	i = htc_request_check_host_hdr(hp);
++	if (i != 0) {
++		WSP(sp, SLT_Error, "Duplicated Host header");
++		return (i);
++	}
+ 	return (i);
+ }
+ 
+diff -Naur ../varnish-2.0.6.orig/bin/varnishtest/tests/r01367.vtc ./bin/varnishtest/tests/r01367.vtc
+--- ../varnish-2.0.6.orig/bin/varnishtest/tests/r01367.vtc	1970-01-01 01:00:00.000000000 +0100
++++ ./bin/varnishtest/tests/r01367.vtc	2013-11-05 11:20:10.142927946 +0100
+@@ -0,0 +1,30 @@
++test "blank GET"
++
++server s1 {
++	rxreq
++	txresp
++} -start
++
++varnish v1 -vcl+backend { 
++	sub vcl_error {
++		return (restart);
++	}
++} -start
++
++client c1 {
++	send "GET    \nHost: example.com\n\n"
++	rxresp
++	expect resp.status == 400
++} -run
++
++client c1 {
++	txreq -hdr "Expect: Santa-Claus"
++	rxresp
++	expect resp.status == 417
++} -run
++
++client c1 {
++	txreq
++	rxresp
++	expect resp.status == 200
++} -run
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/varnish.git/commitdiff/38574da68377119f2167775a94a660d2119166e4

More information about the pld-cvs-commit mailing list