Import strnstr from FreeBSD sources. Needed for some string-safe operations.

strnstr() is not provided on all OS (Linux with gcc 3.x for one).
And some OS are known to bundle an unsafe version (MacOS X 10.4 has a buffer overrun)

So code should use the function named squid_strnstr() and auto-tools will
test to see if the OS provided version is usable.

diff --git a/configure.in b/configure.in
index b331bca498cf4db4ad58ea6dff49367dcae8937e..cb76c104f54f018703ff0fd44580bed5d77c116c 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -2909,6 +2909,34 @@ if test "$ac_cv_func_setresuid" = "yes" ; then
   AC_DEFINE(HAVE_SETRESUID,1,[Yay! Another Linux brokenness.  Its not good enough to know that setresuid() exists, because RedHat 5.0 declare setresuid() but doesn't implement it.])
 fi
 
+dnl Yay!  This one is  a MacOSX brokenness.  Its not good enough
+dnl to know that strnstr() exists, because MacOSX 10.4 have a bad
+dnl copy that crashes with a buffer over-run!
+dnl
+AC_CACHE_CHECK(if strnstr is well implemented, ac_cv_func_strnstr,
+  AC_TRY_RUN([
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+    // we expect this to succeed, or crash on over-run.
+    // if it passes otherwise we may need a better check.
+int main(int argc, char **argv)
+{
+    int size = 20;
+    char *str = malloc(size);
+    memset(str, 'x', size);
+    strnstr(str, "fubar", size);
+    return 0;
+}
+  ],ac_cv_func_strnstr="yes",ac_cv_func_strnstr="no")
+)
+if test "$ac_cv_func_strnstr" = "yes" ; then
+  AC_DEFINE(HAVE_STRNSTR,1,[Yay! We have a working strnstr!])
+else
+  AC_DEFINE(HAVE_STRNSTR,0,[Yay! A MacOS X brokenness. Its not good enough to know that strnstr() exists, because MacOSX 10.4 and earlier may have a buffer overrun.])
+fi
+
+
 AM_CONDITIONAL(NEED_OWN_STRSEP, false)
 if test "$ac_cv_func_strsep" = "no" ; then
   AM_CONDITIONAL(NEED_OWN_STRSEP, true)

diff --git a/include/config.h b/include/config.h
index e0ac205ee3f4876f52f1995053da581d0cff95f2..acd05a1e215d30ca27512a4abb6a67d1f736f489 100644 (file)
--- a/include/config.h
+++ b/include/config.h
@@ -453,4 +453,10 @@ typedef union {
 #define RUNNING_ON_VALGRIND 0
 #endif /* WITH_VALGRIND */
 
+
+/*
+ * strnstr() is needed. The OS may not provide a working copy.
+ */
+#include "strnstr.h"
+
 #endif /* SQUID_CONFIG_H */

diff --git a/include/strnstr.h b/include/strnstr.h
new file mode 100644 (file)
index 0000000..bb3dc01
--- /dev/null
+++ b/include/strnstr.h
@@ -0,0 +1,16 @@
+/*
+ * Squid VCS $Id$
+ */
+#include "config.h"
+
+#if HAVE_STRNSTR
+
+/* Is strnstr exists and is usablewe do so. */
+#define squid_strnstr(a,b,c)   strnstr(a,b,c)
+
+#else /* not HAVE_STRNSTR */
+
+/* If its not usable we have our own copy imported from FreeBSD */
+const char * squid_strnstr(const char *s, const char *find, size_t slen);
+
+#endif /* HAVE_STRNSTR*/

diff --git a/lib/Makefile.am b/lib/Makefile.am
index e4a6e82af562d172f09ea7a3af1a5f5df11223cf..fd9970ab0a2b7402b00e7cd783f188825bf39a69 100644 (file)
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -77,6 +77,8 @@ libmiscutil_a_SOURCES = \
        rfc3596.c \
        $(SNPRINTFSOURCE) \
        Splay.cc \
+       strnstr.h \
+       strnstr.cc \
        $(STRSEPSOURCE) \
        $(STRTOLLSOURCE) \
        stub_memaccount.c \

diff --git a/lib/strnstr.cc b/lib/strnstr.cc
new file mode 100644 (file)
index 0000000..1758a48
--- /dev/null
+++ b/lib/strnstr.cc
@@ -0,0 +1,100 @@
+#ifndef _SQUID_COMPAT_STRNSTR_C_
+#define _SQUID_COMPAT_STRNSTR_C_
+/*
+ *  Shamelessly duplicated from the FreeBSD public sources
+ *  for use by the Squid Project under GNU Public License.
+ *
+ * Update/Maintenance History:
+ *
+ *    26-Apr-2008 : Copied from FreeBSD via OpenGrok
+ *                     - added protection around libray headers
+ *                     - added squid_ prefix for uniqueness
+ *                       so we can use it where OS copy is broken.
+ *
+ * Squid VCS $Id$
+ *
+ *  Original License and code follows.
+ */
+
+#include "config.h"
+#include "strnstr.h"
+
+#if !HAVE_STRNSTR
+
+/*-
+ * Copyright (c) 2001 Mike Barcroft <mike@FreeBSD.org>
+ * Copyright (c) 1990, 1993
+ *     The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Chris Torek.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *     This product includes software developed by the University of
+ *     California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * @(#)strstr.c        8.1 (Berkeley) 6/4/93
+ * $FreeBSD: src/lib/libc/string/strnstr.c,v 1.2.2.1 2001/12/09 06:50:03 mike Exp $
+ * $DragonFly: src/lib/libc/string/strnstr.c,v 1.4 2006/03/20 17:24:20 dillon Exp $
+ */
+
+#if HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#if HAVE_STRING_H
+#include <string.h>
+#endif
+
+/*
+ * Find the first occurrence of find in s, where the search is limited to the
+ * first slen characters of s.
+ */
+const char *
+squid_strnstr(const char *s, const char *find, size_t slen)
+{
+       char c, sc;
+       size_t len;
+
+       if ((c = *find++) != '\0') {
+               len = strlen(find);
+               do {
+                       do {
+                               if (slen < 1 || (sc = *s) == '\0')
+                                       return (NULL);
+                               --slen;
+                               ++s;
+                       } while (sc != c);
+                       if (len > slen)
+                               return (NULL);
+               } while (strncmp(s, find, len) != 0);
+               s--;
+       }
+       return s;
+}
+
+#endif /* !HAVE_STRNSTR */
+#endif /* _SQUID_COMPAT_STRNSTR_C_ */

diff --git a/src/client_side.cc b/src/client_side.cc
index db86dcce9bad858395ac49878103c184b41690e8..7432dd339ed2f88653bf750e9cd55d4ea2042472 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -81,6 +81,7 @@
  * data flow.
  */
 
+#include "config.h"
 #include "squid.h"
 #include "client_side.h"
 #include "clientStream.h"
@@ -1957,7 +1958,7 @@ parseHttpRequest(ConnStateData *conn, HttpParser *hp, HttpRequestMethod * method
      * Check that the headers don't have double-CR.
      * NP: strnstr is required so we don't search any possible binary body blobs.
      */
-    if ( strnstr(req_hdr, "\r\r\n", req_sz) ) {
+    if ( squid_strnstr(req_hdr, "\r\r\n", req_sz) ) {
         debugs(33, 1, "WARNING: suspicious HTTP request contains double CR");
         xfree(url);
         return parseHttpRequestAbort(conn, "error:double-CR");