git.ipfire.org Git - thirdparty/squid.git/commit

Certificate Validator buffer-overflow crashes Squid

Certain server certificates with a large chain and/or large certificates
(i.e. due to excessive amount of SAN entries) are producing helper requests and
replies which are larger than the 32KB limit set in src/helper.cc.

The major problem for squid is that the helper response should fit in the
helper read buffer. Currently squid starts with 4K request buffer and if
required may increase the buffer size up to 32K.

This patch:
  - Uses a constant-size read buffer for helpers and accumulates the helper
    response to Helper::Reply object.
  - Changes the HelperServerBase::requests list to hold list of the new
    Helper::Xaction class which holds pairs of Helper::Request and
    Helper::Reply objects
  - Modifies the Helper::Reply class to accumulate data and restricts the
    required memory allocations

This is a Measurement Factory project

author	Christos Tsantilas <chtsanti@users.sourceforge.net>
	Mon, 25 Jul 2016 10:22:54 +0000 (13:22 +0300)
committer	Christos Tsantilas <chtsanti@users.sourceforge.net>
	Mon, 25 Jul 2016 10:22:54 +0000 (13:22 +0300)
commit	ddc77a2e9f0a68604f05708796071487f4dfe3ea
tree	6c6bd8314d958fafbcb743aff441015b23be1c6f	tree \| snapshot
parent	f62759c58e836c7de131869bb1340ec5db4f8a14	commit \| diff

src/MemBuf.cc		diff \| blob \| blame \| history
src/MemBuf.h		diff \| blob \| blame \| history
src/client_side_request.cc		diff \| blob \| blame \| history
src/helper.cc		diff \| blob \| blame \| history
src/helper.h		diff \| blob \| blame \| history
src/helper/Reply.cc		diff \| blob \| blame \| history
src/helper/Reply.h		diff \| blob \| blame \| history
src/redirect.cc		diff \| blob \| blame \| history
src/ssl/helper.cc		diff \| blob \| blame \| history