From: Amos Jeffries <squid3@treenet.co.nz>
Date: Mon, 2 Feb 2009 12:50:23 +0000 (+1300)
Subject: Fixup parsing of invalid version numbers
X-Git-Tag: SQUID_3_2_0_1~1225
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6f96622be8402982391c4b81b0c83925c0d86fbb;p=thirdparty%2Fsquid.git

Fixup parsing of invalid version numbers
---

diff --git a/src/HttpMsg.cc b/src/HttpMsg.cc
index 3ddbfbc19e..2aab365654 100644
--- a/src/HttpMsg.cc
+++ b/src/HttpMsg.cc
@@ -465,7 +465,7 @@ HttpParserParseReqLine(HttpParser *hmsg)
 {
     int i = 0;
     int retcode = 0;
-    unsigned int maj = 0, min = 9;
+    unsigned int maj = 0, min = 0;
     int last_whitespace = -1, line_end = -1;
 
     debugs(74, 5, "httpParserParseReqLine: parsing " << hmsg->buf);
@@ -572,10 +572,14 @@ HttpParserParseReqLine(HttpParser *hmsg)
 
             /* next should be 1 or more digits */
             maj = 0;
-            for (; i < hmsg->req_end && (isdigit(hmsg->buf[i])); i++) {
+            for (; i < hmsg->req_end && (isdigit(hmsg->buf[i])) && maj < 65536; i++) {
                 maj = maj * 10;
                 maj = maj + (hmsg->buf[i]) - '0';
             }
+            if (maj >= 65536) {
+                retcode = -1;
+                goto finish;
+            }
             if (i >= hmsg->req_end) {
                 retcode = 0;
                 goto finish;
@@ -594,11 +598,16 @@ HttpParserParseReqLine(HttpParser *hmsg)
             /* next should be one or more digits */
             i++;
             min = 0;
-            for (; i < hmsg->req_end && (isdigit(hmsg->buf[i])); i++) {
+            for (; i < hmsg->req_end && (isdigit(hmsg->buf[i])) && min < 65536; i++) {
                 min = min * 10;
                 min = min + (hmsg->buf[i]) - '0';
             }
 
+            if (min >= 65536) {
+                retcode = -1;
+                goto finish;
+            }
+
             /* Find whitespace, end of version */
             hmsg->v_end = i;
             hmsg->u_end = last_whitespace - 1;