From: Eduard Bagdasaryan <eduard.bagdasaryan@measurement-factory.com>
Date: Tue, 16 Jul 2024 05:45:49 +0000 (+0000)
Subject: Fix a use-after-free bug in peerDigestFetchReply() (#1865)
X-Git-Tag: SQUID_7_0_1~87
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=61ddaf9d4a17cf236d49d487aa05af1ef6e0b821;p=thirdparty%2Fsquid.git

Fix a use-after-free bug in peerDigestFetchReply() (#1865)

The problem occurred when handling an HTTP 304 cache digest response.

Also removed effectively unused DIGEST_READ_DONE enum value.
---

diff --git a/src/enums.h b/src/enums.h
index e852ba4418..0ac7f3d82f 100644
--- a/src/enums.h
+++ b/src/enums.h
@@ -198,8 +198,7 @@ typedef enum {
     DIGEST_READ_NONE,
     DIGEST_READ_REPLY,
     DIGEST_READ_CBLOCK,
-    DIGEST_READ_MASK,
-    DIGEST_READ_DONE
+    DIGEST_READ_MASK
 } digest_read_state_t;
 
 /* CygWin & Windows NT Port */
diff --git a/src/peer_digest.cc b/src/peer_digest.cc
index 0f375ac4c7..089a2db878 100644
--- a/src/peer_digest.cc
+++ b/src/peer_digest.cc
@@ -386,10 +386,6 @@ peerDigestHandleReply(void *data, StoreIOBuffer receivedData)
         case DIGEST_READ_NONE:
             break;
 
-        case DIGEST_READ_DONE:
-            return;
-            break;
-
         default:
             fatal("Bad digest transfer mode!\n");
         }
@@ -491,7 +487,7 @@ peerDigestFetchReply(void *data, char *buf, ssize_t size)
 
             // stay with the old in-memory digest
             peerDigestFetchStop(fetch, buf, "Not modified");
-            fetch->state = DIGEST_READ_DONE;
+            return -1;
         } else if (status == Http::scOkay) {
             /* get rid of old entry if any */