rpms / rh-varnish6-varnish

Clone
Source Code
GIT

Blame SOURCES/varnish-6.0.8-CVE-2023-44487-vcl_vrt.patch

c7
  1.   3be79de76e76af67b25d4569984b134bb118100f
  2.   SOURCES
  3.   varnish-6.0.8-CVE-2023-44487-vcl_vrt.patch
Blob History Raw
3be79d 
commit c344e21f23c6605caa257abbf46fd333b7015928
3be79d 
Author: Tomas Korbar <tkorbar@redhat.com>
3be79d 
Date:   Wed Oct 18 20:42:21 2023 +0200
3be79d
3be79d 
    vcl_vrt: Skip VCL execution if the client is gone
3be79d
3be79d 
    Upstream PR #4006
3be79d
3be79d 
diff --git a/bin/varnishd/VSC_main.vsc b/bin/varnishd/VSC_main.vsc
3be79d 
index b237f86..88a659f 100644
3be79d 
--- a/bin/varnishd/VSC_main.vsc
3be79d 
+++ b/bin/varnishd/VSC_main.vsc
3be79d 
@@ -324,6 +324,15 @@
3be79d 
 	Number of times an HTTP/2 stream was refused because the queue was
3be79d 
 	too long already. See also parameter thread_queue_limit.
3be79d
3be79d 
+.. varnish_vsc:: req_reset
3be79d 
+	:group: wrk
3be79d 
+	:oneliner:	Requests reset
3be79d 
+
3be79d 
+	Number of times a client left before the VCL processing of its
3be79d 
+	requests completed. For HTTP/2 sessions, either the stream was
3be79d 
+	reset by an RST_STREAM frame from the client, or a stream or
3be79d 
+	connection error occurred.
3be79d 
+
3be79d 
 .. varnish_vsc:: n_object
3be79d 
 	:type:	gauge
3be79d 
 	:group: wrk
3be79d 
diff --git a/bin/varnishd/cache/cache_transport.h b/bin/varnishd/cache/cache_transport.h
3be79d 
index 5da5e35..8546411 100644
3be79d 
--- a/bin/varnishd/cache/cache_transport.h
3be79d 
+++ b/bin/varnishd/cache/cache_transport.h
3be79d 
@@ -42,6 +42,7 @@ typedef void vtr_sess_panic_f (struct vsb *, const struct sess *);
3be79d 
 typedef void vtr_req_panic_f (struct vsb *, const struct req *);
3be79d 
 typedef void vtr_req_fail_f (struct req *, enum sess_close);
3be79d 
 typedef void vtr_reembark_f (struct worker *, struct req *);
3be79d 
+typedef int vtr_poll_f (struct req *);
3be79d 
 typedef int vtr_minimal_response_f (struct req *, uint16_t status);
3be79d
3be79d 
 struct transport {
3be79d 
@@ -62,6 +63,7 @@ struct transport {
3be79d 
 	vtr_sess_panic_f		*sess_panic;
3be79d 
 	vtr_req_panic_f			*req_panic;
3be79d 
 	vtr_reembark_f			*reembark;
3be79d 
+	vtr_poll_f			*poll;
3be79d 
 	vtr_minimal_response_f		*minimal_response;
3be79d
3be79d 
 	VTAILQ_ENTRY(transport)		list;
3be79d 
diff --git a/bin/varnishd/cache/cache_vcl_vrt.c b/bin/varnishd/cache/cache_vcl_vrt.c
3be79d 
index 5f3bfee..e35ae59 100644
3be79d 
--- a/bin/varnishd/cache/cache_vcl_vrt.c
3be79d 
+++ b/bin/varnishd/cache/cache_vcl_vrt.c
3be79d 
@@ -37,8 +37,10 @@
3be79d 
 #include "cache_varnishd.h"
3be79d
3be79d 
 #include "vcl.h"
3be79d 
+#include "vtim.h"
3be79d
3be79d 
 #include "cache_director.h"
3be79d 
+#include "cache_transport.h"
3be79d 
 #include "cache_vcl.h"
3be79d
3be79d 
 /*--------------------------------------------------------------------*/
3be79d 
@@ -338,6 +340,35 @@ VRT_rel_vcl(VRT_CTX, struct vclref **refp)
3be79d 
  * The workspace argument is where random VCL stuff gets space from.
3be79d 
  */
3be79d
3be79d 
+static int
3be79d 
+req_poll(struct worker *wrk, struct req *req)
3be79d 
+{
3be79d 
+
3be79d 
+	CHECK_OBJ_NOTNULL(req->top, REQ_MAGIC);
3be79d 
+	CHECK_OBJ_NOTNULL(req->top->transport, TRANSPORT_MAGIC);
3be79d 
+
3be79d 
+	/* NB: Since a fail transition leads to vcl_synth, the request may be
3be79d 
+	 * short-circuited twice.
3be79d 
+	 */
3be79d 
+	if (req->req_reset) {
3be79d 
+		wrk->handling = VCL_RET_FAIL;
3be79d 
+		return (-1);
3be79d 
+	}
3be79d 
+
3be79d 
+	if (!FEATURE(FEATURE_VCL_REQ_RESET))
3be79d 
+		return (0);
3be79d 
+	if (req->top->transport->poll == NULL)
3be79d 
+		return (0);
3be79d 
+	if (req->top->transport->poll(req->top) >= 0)
3be79d 
+		return (0);
3be79d 
+
3be79d 
+	VSLb_ts_req(req, "Reset", W_TIM_real(wrk));
3be79d 
+	wrk->stats->req_reset++;
3be79d 
+	wrk->handling = VCL_RET_FAIL;
3be79d 
+	req->req_reset = 1;
3be79d 
+	return (-1);
3be79d 
+}
3be79d 
+
3be79d 
 static void
3be79d 
 vcl_call_method(struct worker *wrk, struct req *req, struct busyobj *bo,
3be79d 
     void *specific, unsigned method, vcl_func_f *func)
3be79d 
@@ -351,6 +382,8 @@ vcl_call_method(struct worker *wrk, struct req *req, struct busyobj *bo,
3be79d 
 		CHECK_OBJ_NOTNULL(req, REQ_MAGIC);
3be79d 
 		CHECK_OBJ_NOTNULL(req->sp, SESS_MAGIC);
3be79d 
 		CHECK_OBJ_NOTNULL(req->vcl, VCL_MAGIC);
3be79d 
+		if (req_poll(wrk, req))
3be79d 
+			return;
3be79d 
 		VCL_Req2Ctx(&ctx, req);
3be79d 
 	}
3be79d 
 	if (bo != NULL) {
3be79d 
diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c
3be79d 
index 720b009..1584740 100644
3be79d 
--- a/bin/varnishd/http2/cache_http2_session.c
3be79d 
+++ b/bin/varnishd/http2/cache_http2_session.c
3be79d 
@@ -440,6 +440,16 @@ h2_new_session(struct worker *wrk, void *arg)
3be79d 
 	h2_del_sess(wrk, h2, SC_RX_JUNK);
3be79d 
 }
3be79d
3be79d 
+static int v_matchproto_(vtr_poll_f)
3be79d 
+h2_poll(struct req *req)
3be79d 
+{
3be79d 
+	struct h2_req *r2;
3be79d 
+
3be79d 
+	CHECK_OBJ_NOTNULL(req, REQ_MAGIC);
3be79d 
+	CAST_OBJ_NOTNULL(r2, req->transport_priv, H2_REQ_MAGIC);
3be79d 
+	return (r2->error ? -1 : 1);
3be79d 
+}
3be79d 
+
3be79d 
 struct transport H2_transport = {
3be79d 
 	.name =			"H2",
3be79d 
 	.magic =		TRANSPORT_MAGIC,
3be79d 
@@ -449,4 +459,5 @@ struct transport H2_transport = {
3be79d 
 	.req_body =		h2_req_body,
3be79d 
 	.req_fail =		h2_req_fail,
3be79d 
 	.sess_panic =		h2_sess_panic,
3be79d 
+	.poll =			h2_poll,
3be79d 
 };
3be79d 
diff --git a/bin/varnishd/mgt/mgt_param_bits.c b/bin/varnishd/mgt/mgt_param_bits.c
3be79d 
index 263d8a3..788d8f0 100644
3be79d 
--- a/bin/varnishd/mgt/mgt_param_bits.c
3be79d 
+++ b/bin/varnishd/mgt/mgt_param_bits.c
3be79d 
@@ -219,7 +219,12 @@ tweak_feature(struct vsb *vsb, const struct parspec *par, const char *arg)
3be79d 
 	(void)par;
3be79d
3be79d 
 	if (arg != NULL && arg != JSON_FMT) {
3be79d 
-		if (!strcmp(arg, "none")) {
3be79d 
+		if (!strcmp(arg, "default")) {
3be79d 
+			AZ(bit_tweak(vsb, mgt_param.feature_bits,
3be79d 
+				FEATURE_Reserved,
3be79d 
+				"+vcl_req_reset",
3be79d 
+				feature_tags, "feature bit", "+"));
3be79d 
+		}else if (!strcmp(arg, "none")) {
3be79d 
 			memset(mgt_param.feature_bits,
3be79d 
 			    0, sizeof mgt_param.feature_bits);
3be79d 
 		} else {
3be79d 
@@ -271,6 +276,6 @@ struct parspec VSL_parspec[] = {
3be79d 
 #define FEATURE_BIT(U, l, d, ld) "\n\t" #l "\t" d
3be79d 
 #include "tbl/feature_bits.h"
3be79d 
 #undef FEATURE_BIT
3be79d 
-		, 0, "none", "" },
3be79d 
+		, 0, "default", "" },
3be79d 
 	{ NULL, NULL, NULL }
3be79d 
 };
3be79d 
diff --git a/doc/sphinx/reference/vsl.rst b/doc/sphinx/reference/vsl.rst
3be79d 
index 4d01f5b..b529562 100644
3be79d 
--- a/doc/sphinx/reference/vsl.rst
3be79d 
+++ b/doc/sphinx/reference/vsl.rst
3be79d 
@@ -71,6 +71,11 @@ Resp
3be79d 
 Restart
3be79d 
 	Client request is being restarted.
3be79d
3be79d 
+Reset
3be79d 
+        The client closed its connection, reset its stream or caused
3be79d 
+        a stream error that forced Varnish to reset the stream. Request
3be79d 
+        processing is interrupted and considered failed.
3be79d 
+
3be79d 
 Pipe handling timestamps
3be79d 
 ~~~~~~~~~~~~~~~~~~~~~~~~
3be79d
3be79d 
diff --git a/include/tbl/feature_bits.h b/include/tbl/feature_bits.h
3be79d 
index 23f1b01..844ecfa 100644
3be79d 
--- a/include/tbl/feature_bits.h
3be79d 
+++ b/include/tbl/feature_bits.h
3be79d 
@@ -83,6 +83,12 @@ FEATURE_BIT(HTTP_DATE_POSTEL,	http_date_postel,
3be79d 
     "like Date:, Last-Modified:, Expires: etc."
3be79d 
 )
3be79d
3be79d 
+FEATURE_BIT(VCL_REQ_RESET,			vcl_req_reset,
3be79d 
+    "Stop processing client VCL once the client is gone.",
3be79d 
+    "Stop processing client VCL once the client is gone. "
3be79d 
+    "When this happens MAIN.req_reset is incremented."
3be79d 
+)
3be79d 
+
3be79d 
 #undef FEATURE_BIT
3be79d
3be79d 
 /*lint -restore */
3be79d 
diff --git a/include/tbl/req_flags.h b/include/tbl/req_flags.h
3be79d 
index 2c0dbe8..3d3f05f 100644
3be79d 
--- a/include/tbl/req_flags.h
3be79d 
+++ b/include/tbl/req_flags.h
3be79d 
@@ -39,6 +39,7 @@ REQ_FLAG(is_hitpass,		1, 0, "")
3be79d 
 REQ_FLAG(waitinglist,		0, 0, "")
3be79d 
 REQ_FLAG(want100cont,		0, 0, "")
3be79d 
 REQ_FLAG(late100cont,		0, 0, "")
3be79d 
+REQ_FLAG(req_reset,		0, 0, "")
3be79d 
 #undef REQ_FLAG
3be79d
3be79d 
 /*lint -restore */

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation