import varnish-6.0.8-1.module+el8.5.0+11919+2c98a2b6
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
fbe6a57bea
commit
1ccfe0d617
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/pkg-varnish-cache-0ad2f22.tar.gz
|
||||
SOURCES/varnish-6.0.6.tgz
|
||||
SOURCES/varnish-6.0.8.tgz
|
||||
|
||||
@ -1,2 +1,2 @@
|
||||
db2cd6c296e7f19d65c09e642b7011338d9d0e04 SOURCES/pkg-varnish-cache-0ad2f22.tar.gz
|
||||
c9cdd61f46d70b1bf8cb5eac3510aa3f4cf5c326 SOURCES/varnish-6.0.6.tgz
|
||||
7c5e50eabcd3c0ddb6c463ba4645678a2f71233a SOURCES/varnish-6.0.8.tgz
|
||||
|
||||
@ -1,141 +0,0 @@
|
||||
From 9be22198e258d0e7a5c41f4291792214a29405cf Mon Sep 17 00:00:00 2001
|
||||
From: Martin Blix Grydeland <martin@varnish-software.com>
|
||||
Date: Tue, 22 Jun 2021 11:47:55 +0200
|
||||
Subject: [PATCH] Take content length into account on H/2 request bodies
|
||||
|
||||
When receiving H/2 data frames, make sure to take the advertised content
|
||||
length into account, and fail appropriately if the combined sum of the
|
||||
data frames does not match the content length.
|
||||
---
|
||||
bin/varnishd/http2/cache_http2.h | 2 ++
|
||||
bin/varnishd/http2/cache_http2_proto.c | 49 ++++++++++++++++++++------
|
||||
2 files changed, 40 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/bin/varnishd/http2/cache_http2.h b/bin/varnishd/http2/cache_http2.h
|
||||
index c377d03aac..205b96ccb7 100644
|
||||
--- a/bin/varnishd/http2/cache_http2.h
|
||||
+++ b/bin/varnishd/http2/cache_http2.h
|
||||
@@ -131,6 +131,8 @@ struct h2_req {
|
||||
/* Where to wake this stream up */
|
||||
struct worker *wrk;
|
||||
|
||||
+ ssize_t reqbody_bytes;
|
||||
+
|
||||
VTAILQ_ENTRY(h2_req) tx_list;
|
||||
h2_error error;
|
||||
|
||||
diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c
|
||||
index cb35bb4873..98f5dc4f37 100644
|
||||
--- a/bin/varnishd/http2/cache_http2_proto.c
|
||||
+++ b/bin/varnishd/http2/cache_http2_proto.c
|
||||
@@ -546,7 +546,7 @@ h2_end_headers(struct worker *wrk, struct h2_sess *h2,
|
||||
struct req *req, struct h2_req *r2)
|
||||
{
|
||||
h2_error h2e;
|
||||
- const char *b;
|
||||
+ ssize_t cl;
|
||||
|
||||
ASSERT_RXTHR(h2);
|
||||
assert(r2->state == H2_S_OPEN);
|
||||
@@ -572,14 +572,24 @@ h2_end_headers(struct worker *wrk, struct h2_sess *h2,
|
||||
// XXX: Have I mentioned H/2 Is hodge-podge ?
|
||||
http_CollectHdrSep(req->http, H_Cookie, "; "); // rfc7540,l,3114,3120
|
||||
|
||||
+ cl = http_GetContentLength(req->http);
|
||||
+ assert(cl >= -2);
|
||||
+ if (cl == -2) {
|
||||
+ VSLb(h2->vsl, SLT_Debug, "Non-parseable Content-Length");
|
||||
+ return (H2SE_PROTOCOL_ERROR);
|
||||
+ }
|
||||
+
|
||||
if (req->req_body_status == REQ_BODY_INIT) {
|
||||
- if (!http_GetHdr(req->http, H_Content_Length, &b))
|
||||
+ if (cl == -1)
|
||||
req->req_body_status = REQ_BODY_WITHOUT_LEN;
|
||||
else
|
||||
req->req_body_status = REQ_BODY_WITH_LEN;
|
||||
+ req->htc->content_length = cl;
|
||||
} else {
|
||||
+ /* A HEADER frame contained END_STREAM */
|
||||
assert (req->req_body_status == REQ_BODY_NONE);
|
||||
- if (http_GetContentLength(req->http) > 0)
|
||||
+ r2->state = H2_S_CLOS_REM;
|
||||
+ if (cl > 0)
|
||||
return (H2CE_PROTOCOL_ERROR); //rfc7540,l,1838,1840
|
||||
}
|
||||
|
||||
@@ -736,6 +746,7 @@ h2_rx_data(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
|
||||
int w1 = 0, w2 = 0;
|
||||
char buf[4];
|
||||
unsigned wi;
|
||||
+ ssize_t cl;
|
||||
|
||||
CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
|
||||
ASSERT_RXTHR(h2);
|
||||
@@ -754,6 +765,23 @@ h2_rx_data(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
|
||||
Lck_Unlock(&h2->sess->mtx);
|
||||
return (h2->error ? h2->error : r2->error);
|
||||
}
|
||||
+
|
||||
+ r2->reqbody_bytes += h2->rxf_len;
|
||||
+ if (h2->rxf_flags & H2FF_DATA_END_STREAM)
|
||||
+ r2->state = H2_S_CLOS_REM;
|
||||
+ cl = r2->req->htc->content_length;
|
||||
+ if (cl >= 0 && (r2->reqbody_bytes > cl ||
|
||||
+ (r2->state >= H2_S_CLOS_REM && r2->reqbody_bytes != cl))) {
|
||||
+ VSLb(h2->vsl, SLT_Debug,
|
||||
+ "H2: stream %u: Received data and Content-Length"
|
||||
+ " mismatch", h2->rxf_stream);
|
||||
+ r2->error = H2SE_PROTOCOL_ERROR; // rfc7540,l,3150,3163
|
||||
+ if (r2->cond)
|
||||
+ AZ(pthread_cond_signal(r2->cond));
|
||||
+ Lck_Unlock(&h2->sess->mtx);
|
||||
+ return (H2SE_PROTOCOL_ERROR);
|
||||
+ }
|
||||
+
|
||||
AZ(h2->mailcall);
|
||||
h2->mailcall = r2;
|
||||
h2->req0->r_window -= h2->rxf_len;
|
||||
@@ -772,6 +800,8 @@ h2_rx_data(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
|
||||
r2->r_window += wi;
|
||||
w2 = 1;
|
||||
}
|
||||
+
|
||||
+
|
||||
Lck_Unlock(&h2->sess->mtx);
|
||||
|
||||
if (w1 || w2) {
|
||||
@@ -794,7 +824,7 @@ h2_vfp_body(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, ssize_t *lp)
|
||||
struct h2_req *r2;
|
||||
struct h2_sess *h2;
|
||||
unsigned l;
|
||||
- enum vfp_status retval = VFP_OK;
|
||||
+ enum vfp_status retval;
|
||||
|
||||
CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC);
|
||||
CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC);
|
||||
@@ -807,7 +837,6 @@ h2_vfp_body(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, ssize_t *lp)
|
||||
*lp = 0;
|
||||
|
||||
Lck_Lock(&h2->sess->mtx);
|
||||
- assert (r2->state == H2_S_OPEN);
|
||||
r2->cond = &vc->wrk->cond;
|
||||
while (h2->mailcall != r2 && h2->error == 0 && r2->error == 0)
|
||||
AZ(Lck_CondWait(r2->cond, &h2->sess->mtx, 0));
|
||||
@@ -830,12 +859,10 @@ h2_vfp_body(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, ssize_t *lp)
|
||||
Lck_Unlock(&h2->sess->mtx);
|
||||
return (VFP_OK);
|
||||
}
|
||||
- if (h2->rxf_len == 0) {
|
||||
- if (h2->rxf_flags & H2FF_DATA_END_STREAM) {
|
||||
- retval = VFP_END;
|
||||
- r2->state = H2_S_CLOS_REM;
|
||||
- }
|
||||
- }
|
||||
+ if (h2->rxf_len == 0 && r2->state >= H2_S_CLOS_REM)
|
||||
+ retval = VFP_END;
|
||||
+ else
|
||||
+ retval = VFP_OK;
|
||||
h2->mailcall = NULL;
|
||||
AZ(pthread_cond_signal(h2->cond));
|
||||
}
|
||||
@ -18,8 +18,8 @@
|
||||
|
||||
Summary: High-performance HTTP accelerator
|
||||
Name: varnish
|
||||
Version: 6.0.6
|
||||
Release: 2%{?dist}.1
|
||||
Version: 6.0.8
|
||||
Release: 1%{?dist}
|
||||
License: BSD
|
||||
Group: System Environment/Daemons
|
||||
URL: https://www.varnish-cache.org/
|
||||
@ -32,9 +32,6 @@ Patch9: varnish-5.1.1.fix_python_version.patch
|
||||
# https://github.com/varnishcache/varnish-cache/commit/5220c394232c25bb7a807a35e7394059ecefa821#diff-2279587378a4426edde05f42e1acca5e
|
||||
Patch11: varnish-6.0.0.fix_el6_fortify_source.patch
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1982409
|
||||
Patch100: varnish-6.0.6-CVE-2021-36740.patch
|
||||
|
||||
Obsoletes: varnish-libs
|
||||
|
||||
%if %{with python3}
|
||||
@ -143,8 +140,6 @@ sed -i '8 i\RPM_BUILD_ROOT=%{buildroot}' find-provides
|
||||
%patch11 -p0
|
||||
%endif
|
||||
|
||||
%patch100 -p1 -b .CVE-2021-36740
|
||||
|
||||
%build
|
||||
%if 0%{?rhel} == 6
|
||||
export CFLAGS="%{optflags} -fPIC"
|
||||
@ -376,8 +371,9 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Jul 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 6.0.6-2.1
|
||||
- Resolves: #1982861 - CVE-2021-36740 varnish:6/varnish: HTTP/2 request
|
||||
* Thu Jul 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-1
|
||||
- new version 6.0.8
|
||||
- Resolves: #1982862 - CVE-2021-36740 varnish:6/varnish: HTTP/2 request
|
||||
smuggling attack via a large Content-Length header for a POST request
|
||||
|
||||
* Tue Apr 14 2020 Lubos Uhliarik <luhliari@redhat.com> - 6.0.6-2
|
||||
|
||||
Loading…
Reference in New Issue
Block a user