From f5a69add1bba41929a047bef2e1fff694ea57e20 Mon Sep 17 00:00:00 2001
From: Evan Zelkowitz <eze@apache.org>
Date: Tue, 22 Jun 2021 14:32:55 -0700
Subject: [PATCH] [PATCH] Fixes (#7971)

* String the url fragment for outgoing requests (#7966)

Co-authored-by: Susan Hinrichs <shinrich@verizonmedia.com>
(cherry picked from commit 2b13eb33794574e62249997b4ba654d943a10f2d)

* Ensure that the content-length value is only digits (#7964)

Co-authored-by: Susan Hinrichs <shinrich@verizonmedia.com>
(cherry picked from commit 668d0f8668fec1cd350b0ceba3f7f8e4020ae3ca)

* Schedule H2 reenable event only if it's necessary

Co-authored-by: Katsutoshi Ikenoya <kikenoya@yahoo-corp.jp>

* Fix dynamic-stack-buffer-overflow of cachekey plugin (#7945)

* Fix dynamic-stack-buffer-overflow of cachekey plugin

* Check dst_size include null termination

(cherry picked from commit 5a9339d7bc65e1c2d8d2a0fc80bb051daf3cdb0b)

Co-authored-by: Bryan Call <bcall@apache.org>
Co-authored-by: Masakazu Kitajo <maskit@apache.org>
Co-authored-by: Katsutoshi Ikenoya <kikenoya@yahoo-corp.jp>
Co-authored-by: Masaori Koshiba <masaori@apache.org>

Gbp-Pq: Name 0019-CVE-2021-35474_32567_32566_32565_27577.patch
---
 plugins/cachekey/cachekey.cc      |  2 +-
 proxy/hdrs/HTTP.cc                | 11 +++++++++++
 proxy/http/HttpTransact.cc        |  5 ++++-
 proxy/http2/Http2ClientSession.cc |  4 ++--
 proxy/logging/LogUtils.cc         |  2 +-
 5 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/plugins/cachekey/cachekey.cc b/plugins/cachekey/cachekey.cc
index c89b6575..964f4579 100644
--- a/plugins/cachekey/cachekey.cc
+++ b/plugins/cachekey/cachekey.cc
@@ -40,7 +40,7 @@ appendEncoded(String &target, const char *s, size_t len)
     return;
   }
 
-  char tmp[len * 2];
+  char tmp[len * 3 + 1];
   size_t written;
 
   /* The default table does not encode the comma, so we need to use our own table here. */
diff --git a/proxy/hdrs/HTTP.cc b/proxy/hdrs/HTTP.cc
index 448eb443..5bba60ae 100644
--- a/proxy/hdrs/HTTP.cc
+++ b/proxy/hdrs/HTTP.cc
@@ -1203,6 +1203,17 @@ validate_hdr_content_length(HdrHeap *heap, HTTPHdrImpl *hh)
     int content_length_len         = 0;
     const char *content_length_val = content_length_field->value_get(&content_length_len);
 
+    // RFC 7230 section 3.3.2
+    // Content-Length = 1*DIGIT
+    //
+    // If the content-length value contains a non-numeric value, the header is invalid
+    for (int i = 0; i < content_length_len; i++) {
+      if (!isdigit(content_length_val[i])) {
+        Debug("http", "Content-Length value contains non-digit, returning parse error");
+        return PARSE_RESULT_ERROR;
+      }
+    }
+
     while (content_length_field->has_dups()) {
       int content_length_len_2         = 0;
       const char *content_length_val_2 = content_length_field->m_next_dup->value_get(&content_length_len_2);
diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
index ea879a7b..cf25eb17 100644
--- a/proxy/http/HttpTransact.cc
+++ b/proxy/http/HttpTransact.cc
@@ -7532,9 +7532,12 @@ HttpTransact::build_request(State *s, HTTPHdr *base_request, HTTPHdr *outgoing_r
 
   // HttpTransactHeaders::convert_request(outgoing_version, outgoing_request); // commented out this idea
 
+  URL *url = outgoing_request->url_get();
+  // Remove fragment from upstream URL
+  url->fragment_set(NULL, 0);
+
   // Check whether a Host header field is missing from a 1.0 or 1.1 request.
   if (outgoing_version != HTTPVersion(0, 9) && !outgoing_request->presence(MIME_PRESENCE_HOST)) {
-    URL *url = outgoing_request->url_get();
     int host_len;
     const char *host = url->host_get(&host_len);
 
diff --git a/proxy/http2/Http2ClientSession.cc b/proxy/http2/Http2ClientSession.cc
index 7263404d..4cbbb7f9 100644
--- a/proxy/http2/Http2ClientSession.cc
+++ b/proxy/http2/Http2ClientSession.cc
@@ -581,8 +581,8 @@ Http2ClientSession::state_process_frame_read(int event, VIO *vio, bool inside_fr
 bool
 Http2ClientSession::_should_do_something_else()
 {
-  // Do something else every 128 incoming frames
-  return (this->_n_frame_read & 0x7F) == 0;
+  // Do something else every 128 incoming frames if connection state isn't closed
+  return (this->_n_frame_read & 0x7F) == 0 && !connection_state.is_state_closed();
 }
 
 int64_t
diff --git a/proxy/logging/LogUtils.cc b/proxy/logging/LogUtils.cc
index 94becf25..475bee87 100644
--- a/proxy/logging/LogUtils.cc
+++ b/proxy/logging/LogUtils.cc
@@ -343,7 +343,7 @@ escapify_url_common(Arena *arena, char *url, size_t len_in, int *len_out, char *
   //
   size_t out_len = len_in + 2 * count;
 
-  if (dst && out_len > dst_size) {
+  if (dst && (out_len + 1) > dst_size) {
     *len_out = 0;
     return nullptr;
   }
-- 
2.30.2