Protect against buffer overrun in DNS query generation

see SQUID-2013:2.

This bug has been present as long as the internal DNS component however
most code reaching this point is passing through URL validation first.
With Squid-3.2 Host header verification using DNS directly we may have
problems.

diff --git a/src/dns_internal.cc b/src/dns_internal.cc
index 4348464a2f91f5515603e7b8117a4a881cda8cc5..ae35f216be5de1c4f76428cdefb8c79f42027be6 100755 (executable)
--- a/src/dns_internal.cc
+++ b/src/dns_internal.cc
@@ -1352,22 +1352,26 @@ idnsCacheQuery(idns_query *q)
 void
 idnsALookup(const char *name, IDNSCB * callback, void *data)
 {
-    unsigned int i;
-    int nd = 0;
-    idns_query *q;
+    size_t nameLength = strlen(name);
 
-    if (idnsCachedLookup(name, callback, data))
+    // Prevent buffer overflow on q->name
+    if (nameLength > NS_MAXDNAME) {
+        debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details.");
+        callback(data, NULL, 0, "Internal error");
         return;
+    }
 
-    q = cbdataAlloc(idns_query);
+    if (idnsCachedLookup(name, callback, data))
+        return;
 
+    idns_query *q = cbdataAlloc(idns_query);
     q->id = idnsQueryID();
-
-    for (i = 0; i < strlen(name); i++)
+    int nd = 0;
+    for (unsigned int i = 0; i < nameLength; ++i)
         if (name[i] == '.')
             nd++;
 
-    if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') {
+    if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') {
         q->do_searchpath = 1;
     } else {
         q->do_searchpath = 0;