squid: Fix two security issues.
[people/teissler/ipfire-2.x.git] / src / patches / squid-3.1-10487.patch
1 ------------------------------------------------------------
2 revno: 10487
3 revision-id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
4 parent: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
5 author: Nathan Hoad <nathan@getoffmalawn.com>
6 committer: Amos Jeffries <squid3@treenet.co.nz>
7 branch nick: SQUID_3_1
8 timestamp: Wed 2013-07-10 06:47:48 -0600
9 message:
10 Protect against buffer overrun in DNS query generation
11
12 see SQUID-2013:2.
13
14 This bug has been present as long as the internal DNS component however
15 most code reaching this point is passing through URL validation first.
16 With Squid-3.2 Host header verification using DNS directly we may have
17 problems.
18 ------------------------------------------------------------
19 # Bazaar merge directive format 2 (Bazaar 0.90)
20 # revision_id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
21 # target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
22 # /SQUID_3_1
23 # testament_sha1: b5be85c8876ce15ec8fa173845e61755b6942fe0
24 # timestamp: 2013-07-10 12:48:57 +0000
25 # source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
26 # /SQUID_3_1
27 # base_revision_id: squid3@treenet.co.nz-20130222111325-\
28 # zizr296kq3te4g7h
29 #
30 # Begin patch
31 === modified file 'src/dns_internal.cc'
32 --- src/dns_internal.cc 2011-10-11 02:12:56 +0000
33 +++ src/dns_internal.cc 2013-07-10 12:47:48 +0000
34 @@ -1532,22 +1532,26 @@
35 void
36 idnsALookup(const char *name, IDNSCB * callback, void *data)
37 {
38 - unsigned int i;
39 + size_t nameLength = strlen(name);
40 +
41 + // Prevent buffer overflow on q->name
42 + if (nameLength > NS_MAXDNAME) {
43 + debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details.");
44 + callback(data, NULL, 0, "Internal error");
45 + return;
46 + }
47 +
48 + if (idnsCachedLookup(name, callback, data))
49 + return;
50 +
51 + idns_query *q = cbdataAlloc(idns_query);
52 + q->id = idnsQueryID();
53 int nd = 0;
54 - idns_query *q;
55 -
56 - if (idnsCachedLookup(name, callback, data))
57 - return;
58 -
59 - q = cbdataAlloc(idns_query);
60 -
61 - q->id = idnsQueryID();
62 -
63 - for (i = 0; i < strlen(name); i++)
64 + for (unsigned int i = 0; i < nameLength; ++i)
65 if (name[i] == '.')
66 nd++;
67
68 - if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') {
69 + if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') {
70 q->do_searchpath = 1;
71 } else {
72 q->do_searchpath = 0;
73