import varnish-6.0.8-1.module+el8.5.0+11919+2c98a2b6

This commit is contained in:
CentOS Sources 2021-11-09 05:01:45 -05:00 committed by Stepan Oksanichenko
parent fbe6a57bea
commit 1ccfe0d617
4 changed files with 7 additions and 152 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/pkg-varnish-cache-0ad2f22.tar.gz SOURCES/pkg-varnish-cache-0ad2f22.tar.gz
SOURCES/varnish-6.0.6.tgz SOURCES/varnish-6.0.8.tgz

View File

@ -1,2 +1,2 @@
db2cd6c296e7f19d65c09e642b7011338d9d0e04 SOURCES/pkg-varnish-cache-0ad2f22.tar.gz db2cd6c296e7f19d65c09e642b7011338d9d0e04 SOURCES/pkg-varnish-cache-0ad2f22.tar.gz
c9cdd61f46d70b1bf8cb5eac3510aa3f4cf5c326 SOURCES/varnish-6.0.6.tgz 7c5e50eabcd3c0ddb6c463ba4645678a2f71233a SOURCES/varnish-6.0.8.tgz

View File

@ -1,141 +0,0 @@
From 9be22198e258d0e7a5c41f4291792214a29405cf Mon Sep 17 00:00:00 2001
From: Martin Blix Grydeland <martin@varnish-software.com>
Date: Tue, 22 Jun 2021 11:47:55 +0200
Subject: [PATCH] Take content length into account on H/2 request bodies
When receiving H/2 data frames, make sure to take the advertised content
length into account, and fail appropriately if the combined sum of the
data frames does not match the content length.
---
bin/varnishd/http2/cache_http2.h | 2 ++
bin/varnishd/http2/cache_http2_proto.c | 49 ++++++++++++++++++++------
2 files changed, 40 insertions(+), 11 deletions(-)
diff --git a/bin/varnishd/http2/cache_http2.h b/bin/varnishd/http2/cache_http2.h
index c377d03aac..205b96ccb7 100644
--- a/bin/varnishd/http2/cache_http2.h
+++ b/bin/varnishd/http2/cache_http2.h
@@ -131,6 +131,8 @@ struct h2_req {
/* Where to wake this stream up */
struct worker *wrk;
+ ssize_t reqbody_bytes;
+
VTAILQ_ENTRY(h2_req) tx_list;
h2_error error;
diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c
index cb35bb4873..98f5dc4f37 100644
--- a/bin/varnishd/http2/cache_http2_proto.c
+++ b/bin/varnishd/http2/cache_http2_proto.c
@@ -546,7 +546,7 @@ h2_end_headers(struct worker *wrk, struct h2_sess *h2,
struct req *req, struct h2_req *r2)
{
h2_error h2e;
- const char *b;
+ ssize_t cl;
ASSERT_RXTHR(h2);
assert(r2->state == H2_S_OPEN);
@@ -572,14 +572,24 @@ h2_end_headers(struct worker *wrk, struct h2_sess *h2,
// XXX: Have I mentioned H/2 Is hodge-podge ?
http_CollectHdrSep(req->http, H_Cookie, "; "); // rfc7540,l,3114,3120
+ cl = http_GetContentLength(req->http);
+ assert(cl >= -2);
+ if (cl == -2) {
+ VSLb(h2->vsl, SLT_Debug, "Non-parseable Content-Length");
+ return (H2SE_PROTOCOL_ERROR);
+ }
+
if (req->req_body_status == REQ_BODY_INIT) {
- if (!http_GetHdr(req->http, H_Content_Length, &b))
+ if (cl == -1)
req->req_body_status = REQ_BODY_WITHOUT_LEN;
else
req->req_body_status = REQ_BODY_WITH_LEN;
+ req->htc->content_length = cl;
} else {
+ /* A HEADER frame contained END_STREAM */
assert (req->req_body_status == REQ_BODY_NONE);
- if (http_GetContentLength(req->http) > 0)
+ r2->state = H2_S_CLOS_REM;
+ if (cl > 0)
return (H2CE_PROTOCOL_ERROR); //rfc7540,l,1838,1840
}
@@ -736,6 +746,7 @@ h2_rx_data(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
int w1 = 0, w2 = 0;
char buf[4];
unsigned wi;
+ ssize_t cl;
CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
ASSERT_RXTHR(h2);
@@ -754,6 +765,23 @@ h2_rx_data(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
Lck_Unlock(&h2->sess->mtx);
return (h2->error ? h2->error : r2->error);
}
+
+ r2->reqbody_bytes += h2->rxf_len;
+ if (h2->rxf_flags & H2FF_DATA_END_STREAM)
+ r2->state = H2_S_CLOS_REM;
+ cl = r2->req->htc->content_length;
+ if (cl >= 0 && (r2->reqbody_bytes > cl ||
+ (r2->state >= H2_S_CLOS_REM && r2->reqbody_bytes != cl))) {
+ VSLb(h2->vsl, SLT_Debug,
+ "H2: stream %u: Received data and Content-Length"
+ " mismatch", h2->rxf_stream);
+ r2->error = H2SE_PROTOCOL_ERROR; // rfc7540,l,3150,3163
+ if (r2->cond)
+ AZ(pthread_cond_signal(r2->cond));
+ Lck_Unlock(&h2->sess->mtx);
+ return (H2SE_PROTOCOL_ERROR);
+ }
+
AZ(h2->mailcall);
h2->mailcall = r2;
h2->req0->r_window -= h2->rxf_len;
@@ -772,6 +800,8 @@ h2_rx_data(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
r2->r_window += wi;
w2 = 1;
}
+
+
Lck_Unlock(&h2->sess->mtx);
if (w1 || w2) {
@@ -794,7 +824,7 @@ h2_vfp_body(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, ssize_t *lp)
struct h2_req *r2;
struct h2_sess *h2;
unsigned l;
- enum vfp_status retval = VFP_OK;
+ enum vfp_status retval;
CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC);
CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC);
@@ -807,7 +837,6 @@ h2_vfp_body(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, ssize_t *lp)
*lp = 0;
Lck_Lock(&h2->sess->mtx);
- assert (r2->state == H2_S_OPEN);
r2->cond = &vc->wrk->cond;
while (h2->mailcall != r2 && h2->error == 0 && r2->error == 0)
AZ(Lck_CondWait(r2->cond, &h2->sess->mtx, 0));
@@ -830,12 +859,10 @@ h2_vfp_body(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, ssize_t *lp)
Lck_Unlock(&h2->sess->mtx);
return (VFP_OK);
}
- if (h2->rxf_len == 0) {
- if (h2->rxf_flags & H2FF_DATA_END_STREAM) {
- retval = VFP_END;
- r2->state = H2_S_CLOS_REM;
- }
- }
+ if (h2->rxf_len == 0 && r2->state >= H2_S_CLOS_REM)
+ retval = VFP_END;
+ else
+ retval = VFP_OK;
h2->mailcall = NULL;
AZ(pthread_cond_signal(h2->cond));
}

View File

@ -18,8 +18,8 @@
Summary: High-performance HTTP accelerator Summary: High-performance HTTP accelerator
Name: varnish Name: varnish
Version: 6.0.6 Version: 6.0.8
Release: 2%{?dist}.1 Release: 1%{?dist}
License: BSD License: BSD
Group: System Environment/Daemons Group: System Environment/Daemons
URL: https://www.varnish-cache.org/ URL: https://www.varnish-cache.org/
@ -32,9 +32,6 @@ Patch9: varnish-5.1.1.fix_python_version.patch
# https://github.com/varnishcache/varnish-cache/commit/5220c394232c25bb7a807a35e7394059ecefa821#diff-2279587378a4426edde05f42e1acca5e # https://github.com/varnishcache/varnish-cache/commit/5220c394232c25bb7a807a35e7394059ecefa821#diff-2279587378a4426edde05f42e1acca5e
Patch11: varnish-6.0.0.fix_el6_fortify_source.patch Patch11: varnish-6.0.0.fix_el6_fortify_source.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1982409
Patch100: varnish-6.0.6-CVE-2021-36740.patch
Obsoletes: varnish-libs Obsoletes: varnish-libs
%if %{with python3} %if %{with python3}
@ -143,8 +140,6 @@ sed -i '8 i\RPM_BUILD_ROOT=%{buildroot}' find-provides
%patch11 -p0 %patch11 -p0
%endif %endif
%patch100 -p1 -b .CVE-2021-36740
%build %build
%if 0%{?rhel} == 6 %if 0%{?rhel} == 6
export CFLAGS="%{optflags} -fPIC" export CFLAGS="%{optflags} -fPIC"
@ -376,8 +371,9 @@ fi
%changelog %changelog
* Thu Jul 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 6.0.6-2.1 * Thu Jul 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-1
- Resolves: #1982861 - CVE-2021-36740 varnish:6/varnish: HTTP/2 request - new version 6.0.8
- Resolves: #1982862 - CVE-2021-36740 varnish:6/varnish: HTTP/2 request
smuggling attack via a large Content-Length header for a POST request smuggling attack via a large Content-Length header for a POST request
* Tue Apr 14 2020 Lubos Uhliarik <luhliari@redhat.com> - 6.0.6-2 * Tue Apr 14 2020 Lubos Uhliarik <luhliari@redhat.com> - 6.0.6-2