From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sat, 8 Mar 2014 00:18:11 +0000 (-0800)
Subject: Avoid buffer overrun by comm_read()
X-Git-Tag: SQUID_3_5_0_1~321^2~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=95e25eaeebb6bd36e90ee806aabd886a83b1fe6e;p=thirdparty%2Fsquid.git

Avoid buffer overrun by comm_read()

It seems the space details provided by SBuf do not necesarily match the
existing MemBlob size. If for example actions like consume() have shifted
the SBuf down the MemBlob buffer.

Use spaceSize() to guarantee that the underlying MemBlob store still
provides sufficient buffer to fill without overflowing.
---

diff --git a/src/client_side.cc b/src/client_side.cc
index e894993d4b..95c809c331 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -253,7 +253,7 @@ ConnStateData::readSomeData()
 
     typedef CommCbMemFunT<ConnStateData, CommIoCbParams> Dialer;
     reader = JobCallback(33, 5, Dialer, this, ConnStateData::clientReadRequest);
-    comm_read(clientConnection, in.buf.rawSpace(2), in.buf.spaceSize()-1, reader);
+    comm_read(clientConnection, in.buf.rawSpace(in.buf.spaceSize()), in.buf.spaceSize()-1, reader);
 }
 
 void