git.ipfire.org Git - thirdparty/squid.git/commit

Improve handling of expanding HTTP header values (#1536)

Squid manipulations often increase HTTP header value length compared to
the corresponding raw value received by Squid. Raw header length is
checked against request_header_max_size and reply_header_max_size that
default to 64KB, making the raw value safe to store in a String object
(by default). However, when the increased length of a manipulated value
exceeds String class limits, Squid leaks memory, asserts, or possibly
stalls affected transactions. The long-term fix for this problem is a
complete String elimination from Squid sources, but that takes time.

Known manipulations may effectively concatenate headers and/or increase
header value length by 50%. This workaround makes such known increases
safe by essentially tripling String class limits:

(64KB + 64KB) * 150% = 3 * 64KB

This bug was discovered and detailed by Joshua Rogers at
https://megamansec.github.io/Squid-Security-Audit/response-memleaks.html
where it was filed as "Memory Leak in HTTP Response Parsing".

author	Alex Rousskov <rousskov@measurement-factory.com>
	Wed, 25 Oct 2023 11:47:19 +0000 (11:47 +0000)
committer	Squid Anubis <squid-anubis@squid-cache.org>
	Wed, 25 Oct 2023 11:47:22 +0000 (11:47 +0000)
commit	801593a993a683e082874011ad59e309697dcbf3
tree	2b68d7ae9cd9ef75c1e1ba28ff9298ee87d70310	tree \| snapshot
parent	7bfa7711e0559c96805087b5961187a4192a5bdc	commit \| diff

src/SquidString.h		diff \| blob \| blame \| history
src/cache_cf.cc		diff \| blob \| blame \| history
src/cf.data.pre		diff \| blob \| blame \| history
src/http.cc		diff \| blob \| blame \| history