Fix parsing of malformed quoted squid.conf strings (#2239)

Iteration of a quoted token that ends with a backslash (escape with no
next char) kept going past the end of the token. That bug as well as
hypothetical 2KB-byte tokens (exceeding CONFIG_LINE_LIMIT) could also
result in a 1-byte NUL overrun.

diff --git a/src/ConfigParser.cc b/src/ConfigParser.cc
index 283856675f174d9bcbff85ad50ab246278220ed3..4794763cc8679885882ad1d538d1f07aaac5deb5 100644 (file)
--- a/src/ConfigParser.cc
+++ b/src/ConfigParser.cc
@@ -146,8 +146,13 @@ ConfigParser::UnQuote(const char *token, const char **next)
     const char  *s = token + 1;
     char *d = UnQuoted;
     /* scan until the end of the quoted string, handling escape sequences*/
-    while (*s && *s != quoteChar && !errorStr && (size_t)(d - UnQuoted) < sizeof(UnQuoted)) {
+    while (*s && *s != quoteChar && !errorStr && (size_t)(d - UnQuoted) < sizeof(UnQuoted) - 1) {
         if (*s == '\\') {
+            if (s[1] == '\0') {
+                errorStr = "Unterminated escape sequence";
+                errorPos = s;
+                break;
+            }
             s++;
             switch (*s) {
             case 'r':