The Debian packaging of varnish is maintained in git, using the merging
workflow described in dgit-maint-merge(7). There isn't a patch queue
that can be represented as a quilt series.

A detailed breakdown of the changes is available from their canonical
representation - git commits in the packaging repository. For example,
to see the changes made by the Debian maintainer in the first upload
of upstream version 1.2.3, you could use:

    % git clone https://git.dgit.debian.org/varnish
    % cd varnish
    % git log --oneline 1.2.3..debian/1.2.3-1 -- . ':!debian'

(If you have dgit, use `dgit clone varnish`, rather than plain `git
clone`.)

A single combined diff, containing all the changes, follows.
--- varnish-6.5.1.orig/bin/varnishd/cache/cache_req_body.c
+++ varnish-6.5.1/bin/varnishd/cache/cache_req_body.c
@@ -252,6 +252,8 @@ VRB_Ignore(struct req *req)
 	if (req->req_body_status->avail > 0)
 		(void)VRB_Iterate(req->wrk, req->vsl, req,
 		    httpq_req_body_discard, NULL);
+	if (req->req_body_status == BS_ERROR)
+		req->doclose = SC_RX_BODY;
 	return (0);
 }
 
--- varnish-6.5.1.orig/bin/varnishd/http2/cache_http2.h
+++ varnish-6.5.1/bin/varnishd/http2/cache_http2.h
@@ -134,6 +134,8 @@ struct h2_req {
 	/* Where to wake this stream up */
 	struct worker			*wrk;
 
+	ssize_t				reqbody_bytes;
+
 	VTAILQ_ENTRY(h2_req)		tx_list;
 	h2_error			error;
 };
--- varnish-6.5.1.orig/bin/varnishd/http2/cache_http2_proto.c
+++ varnish-6.5.1/bin/varnishd/http2/cache_http2_proto.c
@@ -554,6 +554,7 @@ h2_end_headers(struct worker *wrk, struc
     struct req *req, struct h2_req *r2)
 {
 	h2_error h2e;
+	ssize_t cl;
 
 	ASSERT_RXTHR(h2);
 	assert(r2->state == H2_S_OPEN);
@@ -574,16 +575,24 @@ h2_end_headers(struct worker *wrk, struc
 	// XXX: Have I mentioned H/2 Is hodge-podge ?
 	http_CollectHdrSep(req->http, H_Cookie, "; ");	// rfc7540,l,3114,3120
 
+	cl = http_GetContentLength(req->http);
+	assert(cl >= -2);
+	if (cl == -2) {
+		VSLb(h2->vsl, SLT_Debug, "Non-parseable Content-Length");
+		return (H2SE_PROTOCOL_ERROR);
+	}
+
 	if (req->req_body_status == NULL) {
-		if (!http_GetHdr(req->http, H_Content_Length, NULL))
+		if (cl == -1)
 			req->req_body_status = BS_EOF;
 		else
 			req->req_body_status = BS_LENGTH;
+		req->htc->content_length = cl;
 	} else {
 		/* A HEADER frame contained END_STREAM */
 		assert (req->req_body_status == BS_NONE);
 		r2->state = H2_S_CLOS_REM;
-		if (http_GetContentLength(req->http) > 0)
+		if (cl > 0)
 			return (H2CE_PROTOCOL_ERROR); //rfc7540,l,1838,1840
 	}
 
@@ -737,6 +746,7 @@ h2_rx_data(struct worker *wrk, struct h2
 	int w1 = 0, w2 = 0;
 	char buf[4];
 	unsigned wi;
+	ssize_t cl;
 
 	CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
 	ASSERT_RXTHR(h2);
@@ -755,6 +765,23 @@ h2_rx_data(struct worker *wrk, struct h2
 		Lck_Unlock(&h2->sess->mtx);
 		return (h2->error ? h2->error : r2->error);
 	}
+
+	r2->reqbody_bytes += h2->rxf_len;
+	if (h2->rxf_flags & H2FF_DATA_END_STREAM)
+		r2->state = H2_S_CLOS_REM;
+	cl = r2->req->htc->content_length;
+	if (cl >= 0 && (r2->reqbody_bytes > cl ||
+	      (r2->state >= H2_S_CLOS_REM && r2->reqbody_bytes != cl))) {
+		VSLb(h2->vsl, SLT_Debug,
+		    "H2: stream %u: Received data and Content-Length"
+		    " mismatch", h2->rxf_stream);
+		r2->error = H2SE_PROTOCOL_ERROR; // rfc7540,l,3150,3163
+		if (r2->cond)
+			AZ(pthread_cond_signal(r2->cond));
+		Lck_Unlock(&h2->sess->mtx);
+		return (H2SE_PROTOCOL_ERROR);
+	}
+
 	AZ(h2->mailcall);
 	h2->mailcall = r2;
 	h2->req0->r_window -= h2->rxf_len;
@@ -773,6 +800,8 @@ h2_rx_data(struct worker *wrk, struct h2
 		r2->r_window += wi;
 		w2 = 1;
 	}
+
+
 	Lck_Unlock(&h2->sess->mtx);
 
 	if (w1 || w2) {
@@ -795,7 +824,7 @@ h2_vfp_body(struct vfp_ctx *vc, struct v
 	struct h2_req *r2;
 	struct h2_sess *h2;
 	unsigned l;
-	enum vfp_status retval = VFP_OK;
+	enum vfp_status retval;
 
 	CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC);
 	CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC);
@@ -808,7 +837,6 @@ h2_vfp_body(struct vfp_ctx *vc, struct v
 	*lp = 0;
 
 	Lck_Lock(&h2->sess->mtx);
-	assert (r2->state == H2_S_OPEN);
 	r2->cond = &vc->wrk->cond;
 	while (h2->mailcall != r2 && h2->error == 0 && r2->error == 0)
 		AZ(Lck_CondWait(r2->cond, &h2->sess->mtx, 0));
@@ -831,12 +859,10 @@ h2_vfp_body(struct vfp_ctx *vc, struct v
 			Lck_Unlock(&h2->sess->mtx);
 			return (VFP_OK);
 		}
-		if (h2->rxf_len == 0) {
-			if (h2->rxf_flags & H2FF_DATA_END_STREAM) {
-				retval = VFP_END;
-				r2->state = H2_S_CLOS_REM;
-			}
-		}
+		if (h2->rxf_len == 0 && r2->state >= H2_S_CLOS_REM)
+			retval = VFP_END;
+		else
+			retval = VFP_OK;
 		h2->mailcall = NULL;
 		AZ(pthread_cond_signal(h2->cond));
 	}
--- varnish-6.5.1.orig/bin/varnishd/http2/cache_http2_hpack.c
+++ varnish-6.5.1/bin/varnishd/http2/cache_http2_hpack.c
@@ -95,18 +95,25 @@ static h2_error
 h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
 {
 	/* XXX: This might belong in cache/cache_http.c */
+	const char *b0;
+	int disallow_empty;
 	unsigned n;
+	char *p;
+	int i;
 
 	CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
 	AN(b);
 	assert(namelen >= 2);	/* 2 chars from the ': ' that we added */
 	assert(namelen <= len);
 
+	disallow_empty = 0;
+
 	if (len > UINT_MAX) {	/* XXX: cache_param max header size */
 		VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b);
 		return (H2SE_ENHANCE_YOUR_CALM);
 	}
 
+	b0 = b;
 	if (b[0] == ':') {
 		/* Match H/2 pseudo headers */
 		/* XXX: Should probably have some include tbl for
@@ -115,10 +122,24 @@ h2h_addhdr(struct http *hp, char *b, siz
 			b += namelen;
 			len -= namelen;
 			n = HTTP_HDR_METHOD;
+			disallow_empty = 1;
+
+			/* First field cannot contain SP or CTL */
+			for (p = b, i = 0; i < len; p++, i++) {
+				if (vct_issp(*p) || vct_isctl(*p))
+					return (H2SE_PROTOCOL_ERROR);
+			}
 		} else if (!strncmp(b, ":path: ", namelen)) {
 			b += namelen;
 			len -= namelen;
 			n = HTTP_HDR_URL;
+			disallow_empty = 1;
+
+			/* Second field cannot contain LWS or CTL */
+			for (p = b, i = 0; i < len; p++, i++) {
+				if (vct_islws(*p) || vct_isctl(*p))
+					return (H2SE_PROTOCOL_ERROR);
+			}
 		} else if (!strncmp(b, ":scheme: ", namelen)) {
 			/* XXX: What to do about this one? (typically
 			   "http" or "https"). For now set it as a normal
@@ -126,6 +147,15 @@ h2h_addhdr(struct http *hp, char *b, siz
 			b++;
 			len-=1;
 			n = hp->nhd;
+
+			for (p = b + namelen, i = 0; i < len-namelen;
+			    p++, i++) {
+				if (vct_issp(*p) || vct_isctl(*p))
+					return (H2SE_PROTOCOL_ERROR);
+			}
+
+			if (!i)
+				return (H2SE_PROTOCOL_ERROR);
 		} else if (!strncmp(b, ":authority: ", namelen)) {
 			b+=6;
 			len-=6;
@@ -145,8 +175,8 @@ h2h_addhdr(struct http *hp, char *b, siz
 		/* Check for duplicate pseudo-header */
 		if (hp->hd[n].b != NULL) {
 			VSLb(hp->vsl, SLT_BogoHeader,
-			    "Duplicate pseudo-header: %.*s",
-			    (int)(len > 20 ? 20 : len), b);
+			    "Duplicate pseudo-header %.*s%.*s",
+			    (int)namelen, b0, (int)(len > 20 ? 20 : len), b);
 			return (H2SE_PROTOCOL_ERROR);	// rfc7540,l,3158,3162
 		}
 	} else {
@@ -162,6 +192,13 @@ h2h_addhdr(struct http *hp, char *b, siz
 	hp->hd[n].b = b;
 	hp->hd[n].e = b + len;
 
+	if (disallow_empty && !Tlen(hp->hd[n])) {
+		VSLb(hp->vsl, SLT_BogoHeader,
+		    "Empty pseudo-header %.*s",
+		    (int)namelen, b0);
+		return (H2SE_PROTOCOL_ERROR);
+	}
+
 	return (0);
 }
 
