From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sun, 9 Mar 2014 01:47:23 +0000 (-0700)
Subject: Protect MemBlob::append() against raw-space writes
X-Git-Tag: SQUID_3_4_4~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44310ae783178171a9d2cc796f6baf905928e657;p=thirdparty%2Fsquid.git

Protect MemBlob::append() against raw-space writes

There is no guarantee that the 'unused' area of MemBlob is actually
unused. For example if a read buffer was being filled into the
rawSpace() of a SBuf or MemBlob it will overlap with this empty area
until a read call updates the related size state in MemBlob/SBuf.

For these cases we must use memmove() which guarantees no buffer
corruption will take place on memory overlaps.
---

diff --git a/src/MemBlob.cc b/src/MemBlob.cc
index 8cb0c8044e..1c26f6a5d4 100644
--- a/src/MemBlob.cc
+++ b/src/MemBlob.cc
@@ -122,8 +122,7 @@ MemBlob::append(const char *source, const size_type n)
     if (n > 0) { // appending zero bytes is allowed but only affects the stats
         Must(willFit(n));
         Must(source);
-        /// \note memcpy() is safe because we copy to an unused area
-        memcpy(mem + size, source, n);
+        memmove(mem + size, source, n);
         size += n;
     }
     ++Stats.append;