[people/teissler/ipfire-2.x.git] / src / patches / squid-3.1-10487.patch

------------------------------------------------------------
revno: 10487
revision-id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
parent: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
author: Nathan Hoad <nathan@getoffmalawn.com>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: SQUID_3_1
timestamp: Wed 2013-07-10 06:47:48 -0600
message:
  Protect against buffer overrun in DNS query generation
  
  see SQUID-2013:2.
  
  This bug has been present as long as the internal DNS component however
  most code reaching this point is passing through URL validation first.
  With Squid-3.2 Host header verification using DNS directly we may have
  problems.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
#   /SQUID_3_1
# testament_sha1: b5be85c8876ce15ec8fa173845e61755b6942fe0
# timestamp: 2013-07-10 12:48:57 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
#   /SQUID_3_1
# base_revision_id: squid3@treenet.co.nz-20130222111325-\
#   zizr296kq3te4g7h
# 
# Begin patch
=== modified file 'src/dns_internal.cc'
--- src/dns_internal.cc	2011-10-11 02:12:56 +0000
+++ src/dns_internal.cc	2013-07-10 12:47:48 +0000
@@ -1532,22 +1532,26 @@
 void
 idnsALookup(const char *name, IDNSCB * callback, void *data)
 {
-    unsigned int i;
+    size_t nameLength = strlen(name);
+
+    // Prevent buffer overflow on q->name
+    if (nameLength > NS_MAXDNAME) {
+        debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details.");
+        callback(data, NULL, 0, "Internal error");
+        return;
+    }
+
+    if (idnsCachedLookup(name, callback, data))
+        return;
+
+    idns_query *q = cbdataAlloc(idns_query);
+    q->id = idnsQueryID();
     int nd = 0;
-    idns_query *q;
-
-    if (idnsCachedLookup(name, callback, data))
-        return;
-
-    q = cbdataAlloc(idns_query);
-
-    q->id = idnsQueryID();
-
-    for (i = 0; i < strlen(name); i++)
+    for (unsigned int i = 0; i < nameLength; ++i)
         if (name[i] == '.')
             nd++;
 
-    if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') {
+    if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') {
         q->do_searchpath = 1;
     } else {
         q->do_searchpath = 0;
Commit	Line	Data
73237241 MT	1	------------------------------------------------------------
	2	revno: 10487
	3	revision-id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
	4	parent: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
	5	author: Nathan Hoad <nathan@getoffmalawn.com>
	6	committer: Amos Jeffries <squid3@treenet.co.nz>
	7	branch nick: SQUID_3_1
	8	timestamp: Wed 2013-07-10 06:47:48 -0600
	9	message:
	10	Protect against buffer overrun in DNS query generation
	11
	12	see SQUID-2013:2.
	13
	14	This bug has been present as long as the internal DNS component however
	15	most code reaching this point is passing through URL validation first.
	16	With Squid-3.2 Host header verification using DNS directly we may have
	17	problems.
	18	------------------------------------------------------------
	19	# Bazaar merge directive format 2 (Bazaar 0.90)
	20	# revision_id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
	21	# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
	22	# /SQUID_3_1
	23	# testament_sha1: b5be85c8876ce15ec8fa173845e61755b6942fe0
	24	# timestamp: 2013-07-10 12:48:57 +0000
	25	# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
	26	# /SQUID_3_1
	27	# base_revision_id: squid3@treenet.co.nz-20130222111325-\
	28	# zizr296kq3te4g7h
	29	#
	30	# Begin patch
	31	=== modified file 'src/dns_internal.cc'
	32	--- src/dns_internal.cc 2011-10-11 02:12:56 +0000
	33	+++ src/dns_internal.cc 2013-07-10 12:47:48 +0000
	34	@@ -1532,22 +1532,26 @@
	35	void
	36	idnsALookup(const char name, IDNSCB callback, void *data)
	37	{
	38	- unsigned int i;
	39	+ size_t nameLength = strlen(name);
	40	+
	41	+ // Prevent buffer overflow on q->name
	42	+ if (nameLength > NS_MAXDNAME) {
	43	+ debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details.");
	44	+ callback(data, NULL, 0, "Internal error");
	45	+ return;
	46	+ }
	47	+
	48	+ if (idnsCachedLookup(name, callback, data))
	49	+ return;
	50	+
	51	+ idns_query *q = cbdataAlloc(idns_query);
	52	+ q->id = idnsQueryID();
	53	int nd = 0;
	54	- idns_query *q;
	55	-
	56	- if (idnsCachedLookup(name, callback, data))
	57	- return;
	58	-
	59	- q = cbdataAlloc(idns_query);
	60	-
	61	- q->id = idnsQueryID();
	62	-
	63	- for (i = 0; i < strlen(name); i++)
	64	+ for (unsigned int i = 0; i < nameLength; ++i)
65	if (name[i] == '.')
66	nd++;
67
68	- if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') {
69	+ if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') {
70	q->do_searchpath = 1;
71	} else {
72	q->do_searchpath = 0;
73