import varnish-6.0.6-2.module+el8.4.0+11921+1a6539fc.1

This commit is contained in:
CentOS Sources 2021-08-02 10:31:47 -04:00 committed by Andrew Lukoshko
parent 71c4d8719e
commit fbe6a57bea
2 changed files with 151 additions and 1 deletions

View File

@ -0,0 +1,141 @@
From 9be22198e258d0e7a5c41f4291792214a29405cf Mon Sep 17 00:00:00 2001
From: Martin Blix Grydeland <martin@varnish-software.com>
Date: Tue, 22 Jun 2021 11:47:55 +0200
Subject: [PATCH] Take content length into account on H/2 request bodies
When receiving H/2 data frames, make sure to take the advertised content
length into account, and fail appropriately if the combined sum of the
data frames does not match the content length.
---
bin/varnishd/http2/cache_http2.h | 2 ++
bin/varnishd/http2/cache_http2_proto.c | 49 ++++++++++++++++++++------
2 files changed, 40 insertions(+), 11 deletions(-)
diff --git a/bin/varnishd/http2/cache_http2.h b/bin/varnishd/http2/cache_http2.h
index c377d03aac..205b96ccb7 100644
--- a/bin/varnishd/http2/cache_http2.h
+++ b/bin/varnishd/http2/cache_http2.h
@@ -131,6 +131,8 @@ struct h2_req {
/* Where to wake this stream up */
struct worker *wrk;
+ ssize_t reqbody_bytes;
+
VTAILQ_ENTRY(h2_req) tx_list;
h2_error error;
diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c
index cb35bb4873..98f5dc4f37 100644
--- a/bin/varnishd/http2/cache_http2_proto.c
+++ b/bin/varnishd/http2/cache_http2_proto.c
@@ -546,7 +546,7 @@ h2_end_headers(struct worker *wrk, struct h2_sess *h2,
struct req *req, struct h2_req *r2)
{
h2_error h2e;
- const char *b;
+ ssize_t cl;
ASSERT_RXTHR(h2);
assert(r2->state == H2_S_OPEN);
@@ -572,14 +572,24 @@ h2_end_headers(struct worker *wrk, struct h2_sess *h2,
// XXX: Have I mentioned H/2 Is hodge-podge ?
http_CollectHdrSep(req->http, H_Cookie, "; "); // rfc7540,l,3114,3120
+ cl = http_GetContentLength(req->http);
+ assert(cl >= -2);
+ if (cl == -2) {
+ VSLb(h2->vsl, SLT_Debug, "Non-parseable Content-Length");
+ return (H2SE_PROTOCOL_ERROR);
+ }
+
if (req->req_body_status == REQ_BODY_INIT) {
- if (!http_GetHdr(req->http, H_Content_Length, &b))
+ if (cl == -1)
req->req_body_status = REQ_BODY_WITHOUT_LEN;
else
req->req_body_status = REQ_BODY_WITH_LEN;
+ req->htc->content_length = cl;
} else {
+ /* A HEADER frame contained END_STREAM */
assert (req->req_body_status == REQ_BODY_NONE);
- if (http_GetContentLength(req->http) > 0)
+ r2->state = H2_S_CLOS_REM;
+ if (cl > 0)
return (H2CE_PROTOCOL_ERROR); //rfc7540,l,1838,1840
}
@@ -736,6 +746,7 @@ h2_rx_data(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
int w1 = 0, w2 = 0;
char buf[4];
unsigned wi;
+ ssize_t cl;
CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
ASSERT_RXTHR(h2);
@@ -754,6 +765,23 @@ h2_rx_data(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
Lck_Unlock(&h2->sess->mtx);
return (h2->error ? h2->error : r2->error);
}
+
+ r2->reqbody_bytes += h2->rxf_len;
+ if (h2->rxf_flags & H2FF_DATA_END_STREAM)
+ r2->state = H2_S_CLOS_REM;
+ cl = r2->req->htc->content_length;
+ if (cl >= 0 && (r2->reqbody_bytes > cl ||
+ (r2->state >= H2_S_CLOS_REM && r2->reqbody_bytes != cl))) {
+ VSLb(h2->vsl, SLT_Debug,
+ "H2: stream %u: Received data and Content-Length"
+ " mismatch", h2->rxf_stream);
+ r2->error = H2SE_PROTOCOL_ERROR; // rfc7540,l,3150,3163
+ if (r2->cond)
+ AZ(pthread_cond_signal(r2->cond));
+ Lck_Unlock(&h2->sess->mtx);
+ return (H2SE_PROTOCOL_ERROR);
+ }
+
AZ(h2->mailcall);
h2->mailcall = r2;
h2->req0->r_window -= h2->rxf_len;
@@ -772,6 +800,8 @@ h2_rx_data(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
r2->r_window += wi;
w2 = 1;
}
+
+
Lck_Unlock(&h2->sess->mtx);
if (w1 || w2) {
@@ -794,7 +824,7 @@ h2_vfp_body(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, ssize_t *lp)
struct h2_req *r2;
struct h2_sess *h2;
unsigned l;
- enum vfp_status retval = VFP_OK;
+ enum vfp_status retval;
CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC);
CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC);
@@ -807,7 +837,6 @@ h2_vfp_body(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, ssize_t *lp)
*lp = 0;
Lck_Lock(&h2->sess->mtx);
- assert (r2->state == H2_S_OPEN);
r2->cond = &vc->wrk->cond;
while (h2->mailcall != r2 && h2->error == 0 && r2->error == 0)
AZ(Lck_CondWait(r2->cond, &h2->sess->mtx, 0));
@@ -830,12 +859,10 @@ h2_vfp_body(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, ssize_t *lp)
Lck_Unlock(&h2->sess->mtx);
return (VFP_OK);
}
- if (h2->rxf_len == 0) {
- if (h2->rxf_flags & H2FF_DATA_END_STREAM) {
- retval = VFP_END;
- r2->state = H2_S_CLOS_REM;
- }
- }
+ if (h2->rxf_len == 0 && r2->state >= H2_S_CLOS_REM)
+ retval = VFP_END;
+ else
+ retval = VFP_OK;
h2->mailcall = NULL;
AZ(pthread_cond_signal(h2->cond));
}

View File

@ -19,7 +19,7 @@
Summary: High-performance HTTP accelerator Summary: High-performance HTTP accelerator
Name: varnish Name: varnish
Version: 6.0.6 Version: 6.0.6
Release: 2%{?dist} Release: 2%{?dist}.1
License: BSD License: BSD
Group: System Environment/Daemons Group: System Environment/Daemons
URL: https://www.varnish-cache.org/ URL: https://www.varnish-cache.org/
@ -32,6 +32,9 @@ Patch9: varnish-5.1.1.fix_python_version.patch
# https://github.com/varnishcache/varnish-cache/commit/5220c394232c25bb7a807a35e7394059ecefa821#diff-2279587378a4426edde05f42e1acca5e # https://github.com/varnishcache/varnish-cache/commit/5220c394232c25bb7a807a35e7394059ecefa821#diff-2279587378a4426edde05f42e1acca5e
Patch11: varnish-6.0.0.fix_el6_fortify_source.patch Patch11: varnish-6.0.0.fix_el6_fortify_source.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1982409
Patch100: varnish-6.0.6-CVE-2021-36740.patch
Obsoletes: varnish-libs Obsoletes: varnish-libs
%if %{with python3} %if %{with python3}
@ -140,6 +143,8 @@ sed -i '8 i\RPM_BUILD_ROOT=%{buildroot}' find-provides
%patch11 -p0 %patch11 -p0
%endif %endif
%patch100 -p1 -b .CVE-2021-36740
%build %build
%if 0%{?rhel} == 6 %if 0%{?rhel} == 6
export CFLAGS="%{optflags} -fPIC" export CFLAGS="%{optflags} -fPIC"
@ -371,6 +376,10 @@ fi
%changelog %changelog
* Thu Jul 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 6.0.6-2.1
- Resolves: #1982861 - CVE-2021-36740 varnish:6/varnish: HTTP/2 request
smuggling attack via a large Content-Length header for a POST request
* Tue Apr 14 2020 Lubos Uhliarik <luhliari@redhat.com> - 6.0.6-2 * Tue Apr 14 2020 Lubos Uhliarik <luhliari@redhat.com> - 6.0.6-2
- new version 6.0.6 - new version 6.0.6
- Resolves: #1795673 - RFE: rebase varnish:6 to latest 6.0.x LTS - Resolves: #1795673 - RFE: rebase varnish:6 to latest 6.0.x LTS