From: Joshua Rogers Date: Mon, 8 Sep 2025 14:43:54 +0000 (+0000) Subject: Do not allow client_ip_max_connections+1 connections (#2168) X-Git-Tag: SQUID_7_2~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3469a6f97f4d3dae63cb566771cdfc7b6867f8cd;p=thirdparty%2Fsquid.git Do not allow client_ip_max_connections+1 connections (#2168) Previously, setting client_ip_max_connections to a non-negative N would allow N+1 client connections, due to an off-by-one error. --- diff --git a/doc/release-notes/release-7.sgml.in b/doc/release-notes/release-7.sgml.in index e1f6b985e5..b0075b3428 100644 --- a/doc/release-notes/release-7.sgml.in +++ b/doc/release-notes/release-7.sgml.in @@ -184,6 +184,14 @@ This section gives an account of those changes in three categories:

Removed the non_peers action. See the Cache Manager for details. + + client_ip_max_connections +

Fixed off-by-one enforcement. Squid now allows at most N + concurrent connections per client IP (not N+1), where N + is the configured directive value. Deployments that relied on the extra + connection should increase the configured limit by one to preserve + previous behavior. + dns_packet_max

Honor positive dns_packet_max values when sending DNS A queries and PTR queries containing IPv4 addresses. Prior to this change, Squid did diff --git a/src/comm/TcpAcceptor.cc b/src/comm/TcpAcceptor.cc index 094fa3a52d..4cf8d4896a 100644 --- a/src/comm/TcpAcceptor.cc +++ b/src/comm/TcpAcceptor.cc @@ -413,7 +413,7 @@ Comm::TcpAcceptor::acceptInto(Comm::ConnectionPointer &details) details->nfConnmark = Ip::Qos::getNfConnmark(details, Ip::Qos::dirAccepted); if (Config.client_ip_max_connections >= 0) { - if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) { + if (clientdbEstablished(details->remote, 0) >= Config.client_ip_max_connections) { debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections."); return false; }