From: serassio <>
Date: Fri, 28 Jan 2005 16:23:41 +0000 (+0000)
Subject: Bug #1189: buffer overflow bug in gopherToHTML()
X-Git-Tag: SQUID_3_0_PRE4~890
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8617e90a501f5e383cc8ed0102d7dc9dbc1b1253;p=thirdparty%2Fsquid.git

Bug #1189: buffer overflow bug in gopherToHTML()

Yet another buffer overflow bug in gopherToHTML().  This one is similar
to others already found and the same solution is used.  If a potential
overflow is detected, the excess input is simply lost.

Forward port of Duane's 2.5 patch.
---

diff --git a/src/gopher.cc b/src/gopher.cc
index 5a2c73504e..92208742d8 100644
--- a/src/gopher.cc
+++ b/src/gopher.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: gopher.cc,v 1.185 2003/11/29 08:37:29 hno Exp $
+ * $Id: gopher.cc,v 1.186 2005/01/28 09:23:41 serassio Exp $
  *
  * DEBUG: section 10    Gopher
  * AUTHOR: Harvest Derived
@@ -394,6 +394,13 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
         if (gopherState->len != 0) {
             /* there is something left from last tx. */
             xstrncpy(line, gopherState->buf, gopherState->len + 1);
+
+            if (gopherState->len + len > TEMP_BUF_SIZE) {
+                debug(10, 1) ("GopherHTML: Buffer overflow. Lost some data on URL: %s\n",
+                              storeUrl(entry));
+                len = TEMP_BUF_SIZE - gopherState->len;
+            }
+
             lpos = (char *) memccpy(line + gopherState->len, inbuf, '\n', len);
 
             if (lpos)