]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blobdiff - src/patches/squid-3.1-10487.patch
projects / people / teissler / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
squid: Fix two security issues.
[people/teissler/ipfire-2.x.git] / src / patches / squid-3.1-10487.patch
diff --git a/src/patches/squid-3.1-10487.patch b/src/patches/squid-3.1-10487.patch
new file mode 100644 (file)
index 0000000..2ca4848
--- /dev/null
+++ b/src/patches/squid-3.1-10487.patch
@@ -0,0 +1,73 @@
+------------------------------------------------------------
+revno: 10487
+revision-id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
+parent: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
+author: Nathan Hoad <nathan@getoffmalawn.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: SQUID_3_1
+timestamp: Wed 2013-07-10 06:47:48 -0600
+message:
+  Protect against buffer overrun in DNS query generation
+  
+  see SQUID-2013:2.
+  
+  This bug has been present as long as the internal DNS component however
+  most code reaching this point is passing through URL validation first.
+  With Squid-3.2 Host header verification using DNS directly we may have
+  problems.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
+#   /SQUID_3_1
+# testament_sha1: b5be85c8876ce15ec8fa173845e61755b6942fe0
+# timestamp: 2013-07-10 12:48:57 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
+#   /SQUID_3_1
+# base_revision_id: squid3@treenet.co.nz-20130222111325-\
+#   zizr296kq3te4g7h
+# 
+# Begin patch
+=== modified file 'src/dns_internal.cc'
+--- src/dns_internal.cc        2011-10-11 02:12:56 +0000
++++ src/dns_internal.cc        2013-07-10 12:47:48 +0000
+@@ -1532,22 +1532,26 @@
+ void
+ idnsALookup(const char *name, IDNSCB * callback, void *data)
+ {
+-    unsigned int i;
++    size_t nameLength = strlen(name);
++
++    // Prevent buffer overflow on q->name
++    if (nameLength > NS_MAXDNAME) {
++        debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details.");
++        callback(data, NULL, 0, "Internal error");
++        return;
++    }
++
++    if (idnsCachedLookup(name, callback, data))
++        return;
++
++    idns_query *q = cbdataAlloc(idns_query);
++    q->id = idnsQueryID();
+     int nd = 0;
+-    idns_query *q;
+-
+-    if (idnsCachedLookup(name, callback, data))
+-        return;
+-
+-    q = cbdataAlloc(idns_query);
+-
+-    q->id = idnsQueryID();
+-
+-    for (i = 0; i < strlen(name); i++)
++    for (unsigned int i = 0; i < nameLength; ++i)
+         if (name[i] == '.')
+             nd++;
+-    if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') {
++    if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') {
+         q->do_searchpath = 1;
+     } else {
+         q->do_searchpath = 0;
+
Timo's tree of IPFire 2.x