From: Nathan Hoad Date: Wed, 10 Jul 2013 12:48:16 +0000 (-0600) Subject: Protect against buffer overrun in DNS query generation X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4bc7b45b21cae91b86d4adb57e763abf8195fb86;p=thirdparty%2Fsquid.git Protect against buffer overrun in DNS query generation see SQUID-2013:2. This bug has been present as long as the internal DNS component however most code reaching this point is passing through URL validation first. With Squid-3.2 Host header verification using DNS directly we may have problems. --- diff --git a/src/dns_internal.cc b/src/dns_internal.cc index 4348464a2f..ae35f216be 100755 --- a/src/dns_internal.cc +++ b/src/dns_internal.cc @@ -1352,22 +1352,26 @@ idnsCacheQuery(idns_query *q) void idnsALookup(const char *name, IDNSCB * callback, void *data) { - unsigned int i; - int nd = 0; - idns_query *q; + size_t nameLength = strlen(name); - if (idnsCachedLookup(name, callback, data)) + // Prevent buffer overflow on q->name + if (nameLength > NS_MAXDNAME) { + debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details."); + callback(data, NULL, 0, "Internal error"); return; + } - q = cbdataAlloc(idns_query); + if (idnsCachedLookup(name, callback, data)) + return; + idns_query *q = cbdataAlloc(idns_query); q->id = idnsQueryID(); - - for (i = 0; i < strlen(name); i++) + int nd = 0; + for (unsigned int i = 0; i < nameLength; ++i) if (name[i] == '.') nd++; - if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') { + if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') { q->do_searchpath = 1; } else { q->do_searchpath = 0;