src/patches/squid-3.1-10487.patch

   1 ------------------------------------------------------------
   2 revno: 10487
   3 revision-id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
   4 parent: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
   5 author: Nathan Hoad <nathan@getoffmalawn.com>
   6 committer: Amos Jeffries <squid3@treenet.co.nz>
   7 branch nick: SQUID_3_1
   8 timestamp: Wed 2013-07-10 06:47:48 -0600
   9 message:
  10   Protect against buffer overrun in DNS query generation
  11
  12   see SQUID-2013:2.
  13
  14   This bug has been present as long as the internal DNS component however
  15   most code reaching this point is passing through URL validation first.
  16   With Squid-3.2 Host header verification using DNS directly we may have
  17   problems.
  18 ------------------------------------------------------------
  19 # Bazaar merge directive format 2 (Bazaar 0.90)
  20 # revision_id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
  21 # target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
  22 #   /SQUID_3_1
  23 # testament_sha1: b5be85c8876ce15ec8fa173845e61755b6942fe0
  24 # timestamp: 2013-07-10 12:48:57 +0000
  25 # source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
  26 #   /SQUID_3_1
  27 # base_revision_id: squid3@treenet.co.nz-20130222111325-\
  28 #   zizr296kq3te4g7h
  29 #
  30 # Begin patch
  31 === modified file 'src/dns_internal.cc'
  32 --- src/dns_internal.cc 2011-10-11 02:12:56 +0000
  33 +++ src/dns_internal.cc 2013-07-10 12:47:48 +0000
  34 @@ -1532,22 +1532,26 @@
  35  void
  36  idnsALookup(const char *name, IDNSCB * callback, void *data)
  37  {
  38 -    unsigned int i;
  39 +    size_t nameLength = strlen(name);
  40 +
  41 +    // Prevent buffer overflow on q->name
  42 +    if (nameLength > NS_MAXDNAME) {
  43 +        debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details.");
  44 +        callback(data, NULL, 0, "Internal error");
  45 +        return;
  46 +    }
  47 +
  48 +    if (idnsCachedLookup(name, callback, data))
  49 +        return;
  50 +
  51 +    idns_query *q = cbdataAlloc(idns_query);
  52 +    q->id = idnsQueryID();
  53      int nd = 0;
  54 -    idns_query *q;
  55 -
  56 -    if (idnsCachedLookup(name, callback, data))
  57 -        return;
  58 -
  59 -    q = cbdataAlloc(idns_query);
  60 -
  61 -    q->id = idnsQueryID();
  62 -
  63 -    for (i = 0; i < strlen(name); i++)
  64 +    for (unsigned int i = 0; i < nameLength; ++i)
  65          if (name[i] == '.')
  66              nd++;
  67
  68 -    if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') {
  69 +    if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') {
  70          q->do_searchpath = 1;
  71      } else {
  72          q->do_searchpath = 0;
  73