CVE-2022-38150

CVE-2022-38150.patch

@@ -0,0 +1,72 @@
+From c5fd097e5cce8b461c6443af02b3448baef2491d Mon Sep 17 00:00:00 2001
+From: Martin Blix Grydeland <martin@varnish-software.com>
+Date: Thu, 4 Aug 2022 10:59:33 +0200
+Subject: [PATCH] Do not call http_hdr_flags() on pseudo-headers
+
+In http_EstimateWS(), all headers are passed to the http_isfiltered()
+function to calculate how many bytes is needed to serialize the entire
+struct http. http_isfiltered() will check the headers for whether they are
+going to be filtered out later and if so skip them.
+
+However http_isfiltered() would attempt to treat all elements of struct
+http as regular headers with an implicit structure. That does not hold for
+the first three pseudo-header entries, which would lead to asserts in
+later steps.
+
+This patch skips the filter step for pseudo-headers.
+
+Fixes: #3830
+---
+ bin/varnishd/cache/cache_http.c  |  2 ++
+ bin/varnishtest/tests/r03830.vtc | 29 +++++++++++++++++++++++++++++
+ 2 files changed, 31 insertions(+)
+ create mode 100644 bin/varnishtest/tests/r03830.vtc
+
+diff --git a/bin/varnishd/cache/cache_http.c b/bin/varnishd/cache/cache_http.c
+index ed15e07f9e..d48c0bb366 100644
+--- a/bin/varnishd/cache/cache_http.c
++++ b/bin/varnishd/cache/cache_http.c
+@@ -1147,6 +1147,8 @@ http_isfiltered(const struct http *fm, unsigned u, unsigned how)
+ 
+ 	if (fm->hdf[u] & HDF_FILTER)
+ 		return (1);
++	if (u < HTTP_HDR_FIRST)
++		return (0);
+ 	e = strchr(fm->hd[u].b, ':');
+ 	if (e == NULL)
+ 		return (0);
+diff --git a/bin/varnishtest/tests/r03830.vtc b/bin/varnishtest/tests/r03830.vtc
+new file mode 100644
+index 0000000000..5155981923
+--- /dev/null
++++ b/bin/varnishtest/tests/r03830.vtc
+@@ -0,0 +1,29 @@
++varnishtest "3830: Do not call http_hdr_flags() on pseudo-headers"
++
++server s1 {
++	rxreq
++	txresp -reason ":x"
++
++	rxreq
++	txresp
++} -start
++
++varnish v1 -vcl+backend {
++	sub vcl_recv {
++		return (hash);
++	}
++} -start
++
++client c1 {
++	txreq
++	rxresp
++	expect resp.status == 200
++} -run
++
++client c2 {
++	txreq -url :x -method :x
++	rxresp
++	expect resp.status == 200
++} -run
++
++varnish v1 -vsl_catchup

varnish.spec

@@ -3,7 +3,7 @@
 Name:             varnish
 Summary:          A web application accelerator
 Version:          7.0.1
-Release:          3
+Release:          4
 License:          BSD
 URL:              https://www.varnish-cache.org/
 Source0:          http://varnish-cache.org/_downloads/varnish-%{version}.tgz
@@ -13,6 +13,7 @@ Source1:          https://github.com/varnishcache/pkg-varnish-cache/archive/0ad2
 Patch0001:        fix-varnish-devel-installation-failure.patch
 #https://github.com/varnishcache/varnish-cache/commit/fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4
 Patch0002:        CVE-2022-23959.patch
+Patch0003:        CVE-2022-38150.patch
 
 BuildRequires:    python3-sphinx python3-docutils pkgconfig make graphviz nghttp2 systemd-units
 BuildRequires:    ncurses-devel pcre2-devel libedit-devel gcc
@@ -160,6 +161,9 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc
 %{_mandir}/man7/*.7*
 
 %changelog
+* Tue Aug 23 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 7.0.1-4
+- Fix CVE-2022-38150
+
 * Tue Apr 26 2022 yaoxin <yaoxin30@h-partners.com> - 7.0.1-3
 - Fix CVE-2022-23959