]>
Commit | Line | Data |
---|---|---|
73237241 MT |
1 | ------------------------------------------------------------ |
2 | revno: 10487 | |
3 | revision-id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx | |
4 | parent: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h | |
5 | author: Nathan Hoad <nathan@getoffmalawn.com> | |
6 | committer: Amos Jeffries <squid3@treenet.co.nz> | |
7 | branch nick: SQUID_3_1 | |
8 | timestamp: Wed 2013-07-10 06:47:48 -0600 | |
9 | message: | |
10 | Protect against buffer overrun in DNS query generation | |
11 | ||
12 | see SQUID-2013:2. | |
13 | ||
14 | This bug has been present as long as the internal DNS component however | |
15 | most code reaching this point is passing through URL validation first. | |
16 | With Squid-3.2 Host header verification using DNS directly we may have | |
17 | problems. | |
18 | ------------------------------------------------------------ | |
19 | # Bazaar merge directive format 2 (Bazaar 0.90) | |
20 | # revision_id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx | |
21 | # target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ | |
22 | # /SQUID_3_1 | |
23 | # testament_sha1: b5be85c8876ce15ec8fa173845e61755b6942fe0 | |
24 | # timestamp: 2013-07-10 12:48:57 +0000 | |
25 | # source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ | |
26 | # /SQUID_3_1 | |
27 | # base_revision_id: squid3@treenet.co.nz-20130222111325-\ | |
28 | # zizr296kq3te4g7h | |
29 | # | |
30 | # Begin patch | |
31 | === modified file 'src/dns_internal.cc' | |
32 | --- src/dns_internal.cc 2011-10-11 02:12:56 +0000 | |
33 | +++ src/dns_internal.cc 2013-07-10 12:47:48 +0000 | |
34 | @@ -1532,22 +1532,26 @@ | |
35 | void | |
36 | idnsALookup(const char *name, IDNSCB * callback, void *data) | |
37 | { | |
38 | - unsigned int i; | |
39 | + size_t nameLength = strlen(name); | |
40 | + | |
41 | + // Prevent buffer overflow on q->name | |
42 | + if (nameLength > NS_MAXDNAME) { | |
43 | + debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details."); | |
44 | + callback(data, NULL, 0, "Internal error"); | |
45 | + return; | |
46 | + } | |
47 | + | |
48 | + if (idnsCachedLookup(name, callback, data)) | |
49 | + return; | |
50 | + | |
51 | + idns_query *q = cbdataAlloc(idns_query); | |
52 | + q->id = idnsQueryID(); | |
53 | int nd = 0; | |
54 | - idns_query *q; | |
55 | - | |
56 | - if (idnsCachedLookup(name, callback, data)) | |
57 | - return; | |
58 | - | |
59 | - q = cbdataAlloc(idns_query); | |
60 | - | |
61 | - q->id = idnsQueryID(); | |
62 | - | |
63 | - for (i = 0; i < strlen(name); i++) | |
64 | + for (unsigned int i = 0; i < nameLength; ++i) | |
65 | if (name[i] == '.') | |
66 | nd++; | |
67 | ||
68 | - if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') { | |
69 | + if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') { | |
70 | q->do_searchpath = 1; | |
71 | } else { | |
72 | q->do_searchpath = 0; | |
73 |