From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Tue, 5 May 2015 15:38:39 +0000 (+0300)
Subject: Squid Assertion MemBuf.cc:380: "new_cap > (size_t) capacity"
X-Git-Tag: merge-candidate-3-v1~137
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1fe614859b96501da86a8850a78499642d4b7a84;p=thirdparty%2Fsquid.git

Squid Assertion MemBuf.cc:380: "new_cap > (size_t) capacity"

The maximum buffer size for holding Server and Client SSL hello messages is only
16k which is not enough hold a Hello message which includes some extensions and
1-2 or more Certificates.
This patch increases the maximum size to 65535 and also adds some checks to
avoid squid crashes in the case the hello messages buffer overflows.

This is a Measurement Factory project
---

diff --git a/src/ssl/bio.cc b/src/ssl/bio.cc
index 788c5db18f..ae0ed5d97d 100644
--- a/src/ssl/bio.cc
+++ b/src/ssl/bio.cc
@@ -147,6 +147,13 @@ Ssl::Bio::stateChanged(const SSL *ssl, int where, int ret)
            SSL_state_string(ssl) << " (" << SSL_state_string_long(ssl) << ")");
 }
 
+void
+Ssl::Bio::prepReadBuf()
+{
+    if (rbuf.isNull())
+        rbuf.init(4096, 65536);
+}
+
 bool
 Ssl::ClientBio::isClientHello(int state)
 {
@@ -192,14 +199,14 @@ int
 Ssl::ClientBio::read(char *buf, int size, BIO *table)
 {
     if (helloState < atHelloReceived) {
-
-        if (rbuf.isNull())
-            rbuf.init(1024, 16384);
+        prepReadBuf();
 
         size = rbuf.spaceSize() > size ? size : rbuf.spaceSize();
 
-        if (!size)
-            return 0;
+        if (!size) {
+            debugs(83, DBG_IMPORTANT, "Not enough space to hold client SSL hello message");
+            return -1;
+        }
 
         int bytes = Ssl::Bio::read(buf, size, table);
         if (bytes <= 0)
@@ -272,8 +279,13 @@ Ssl::ServerBio::read(char *buf, int size, BIO *table)
     int bytes = Ssl::Bio::read(buf, size, table);
 
     if (bytes > 0 && record_) {
-        if (rbuf.isNull())
-            rbuf.init(1024, 16384);
+        prepReadBuf();
+
+        if (rbuf.spaceSize() < bytes) {
+            debugs(83, DBG_IMPORTANT, "Not enough space to hold server hello message");
+            return -1;
+        }
+ 
         rbuf.append(buf, bytes);
         debugs(83, 5, "Record is enabled store " << bytes << " bytes");
     }
diff --git a/src/ssl/bio.h b/src/ssl/bio.h
index 470896b9ec..910fd86b1d 100644
--- a/src/ssl/bio.h
+++ b/src/ssl/bio.h
@@ -110,6 +110,9 @@ public:
     /// Tells ssl connection to use BIO and monitor state via stateChanged()
     static void Link(SSL *ssl, BIO *bio);
 
+    /// Prepare the rbuf buffer to accept hello data
+    void prepReadBuf();
+
     const MemBuf &rBufData() {return rbuf;}
 protected:
     const int fd_; ///< the SSL socket we are reading and writing