Blame SOURCES/varnish-6.0.8-CVE-2022-45060.patch

755a4d
diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c
755a4d
index d432629..b0dacb9 100644
755a4d
--- a/bin/varnishd/http2/cache_http2_hpack.c
755a4d
+++ b/bin/varnishd/http2/cache_http2_hpack.c
755a4d
@@ -93,18 +93,25 @@ static h2_error
755a4d
 h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
755a4d
 {
755a4d
 	/* XXX: This might belong in cache/cache_http.c */
755a4d
+	const char *b0;
755a4d
 	unsigned n;
755a4d
+	int disallow_empty;
755a4d
+	char *p;
755a4d
+	int i;
755a4d
 
755a4d
 	CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
755a4d
 	AN(b);
755a4d
 	assert(namelen >= 2);	/* 2 chars from the ': ' that we added */
755a4d
 	assert(namelen <= len);
755a4d
+	
755a4d
+	disallow_empty = 0;
755a4d
 
755a4d
 	if (len > UINT_MAX) {	/* XXX: cache_param max header size */
755a4d
 		VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b);
755a4d
 		return (H2SE_ENHANCE_YOUR_CALM);
755a4d
 	}
755a4d
 
755a4d
+	b0 = b;
755a4d
 	if (b[0] == ':') {
755a4d
 		/* Match H/2 pseudo headers */
755a4d
 		/* XXX: Should probably have some include tbl for
755a4d
@@ -113,10 +120,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
755a4d
 			b += namelen;
755a4d
 			len -= namelen;
755a4d
 			n = HTTP_HDR_METHOD;
755a4d
+			disallow_empty = 1;
755a4d
+
755a4d
+			/* First field cannot contain SP or CTL */
755a4d
+			for (p = b, i = 0; i < len; p++, i++) {
755a4d
+				if (vct_issp(*p) || vct_isctl(*p))
755a4d
+					return (H2SE_PROTOCOL_ERROR);
755a4d
+			}
755a4d
 		} else if (!strncmp(b, ":path: ", namelen)) {
755a4d
 			b += namelen;
755a4d
 			len -= namelen;
755a4d
 			n = HTTP_HDR_URL;
755a4d
+			disallow_empty = 1;
755a4d
+
755a4d
+			/* Second field cannot contain LWS or CTL */
755a4d
+			for (p = b, i = 0; i < len; p++, i++) {
755a4d
+				if (vct_islws(*p) || vct_isctl(*p))
755a4d
+					return (H2SE_PROTOCOL_ERROR);
755a4d
+			}
755a4d
 		} else if (!strncmp(b, ":scheme: ", namelen)) {
755a4d
 			/* XXX: What to do about this one? (typically
755a4d
 			   "http" or "https"). For now set it as a normal
755a4d
@@ -124,6 +145,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
755a4d
 			b++;
755a4d
 			len-=1;
755a4d
 			n = hp->nhd;
755a4d
+
755a4d
+			for (p = b + namelen, i = 0; i < len-namelen;
755a4d
+			    p++, i++) {
755a4d
+				if (vct_issp(*p) || vct_isctl(*p))
755a4d
+					return (H2SE_PROTOCOL_ERROR);
755a4d
+			}
755a4d
+
755a4d
+			if (!i)
755a4d
+				return (H2SE_PROTOCOL_ERROR);
755a4d
 		} else if (!strncmp(b, ":authority: ", namelen)) {
755a4d
 			b+=6;
755a4d
 			len-=6;
755a4d
@@ -160,6 +190,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
755a4d
 	hp->hd[n].b = b;
755a4d
 	hp->hd[n].e = b + len;
755a4d
 
755a4d
+	if (disallow_empty && !Tlen(hp->hd[n])) {
755a4d
+		VSLb(hp->vsl, SLT_BogoHeader,
755a4d
+		    "Empty pseudo-header %.*s",
755a4d
+		    (int)namelen, b0);
755a4d
+		return (H2SE_PROTOCOL_ERROR);
755a4d
+	}
755a4d
+
755a4d
 	return (0);
755a4d
 }
755a4d