From: Amos Jeffries <squid3@treenet.co.nz>
Date: Mon, 2 Feb 2009 13:05:56 +0000 (+1300)
Subject: Fixup parsing of invalid version numbers
X-Git-Tag: SQUID_3_0_STABLE13~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=60222c9cb7357c8ccbdacbf2ab765fb607772ffe;p=thirdparty%2Fsquid.git

Fixup parsing of invalid version numbers
---

diff --git a/src/HttpMsg.cc b/src/HttpMsg.cc
index 1585b5225a..964832729d 100644
--- a/src/HttpMsg.cc
+++ b/src/HttpMsg.cc
@@ -463,7 +463,7 @@ HttpParserParseReqLine(HttpParser *hmsg)
 {
 	int i = 0;
 	int retcode = 0;
-	unsigned int maj = 0, min = 9;
+	unsigned int maj = 0, min = 0;
 	int last_whitespace = -1, line_end = -1;
 
         debugs(74, 5, "httpParserParseReqLine: parsing " << hmsg->buf);
@@ -568,10 +568,14 @@ HttpParserParseReqLine(HttpParser *hmsg)
 
 			/* next should be 1 or more digits */
 			maj = 0;
-			for (; i < hmsg->req_end && (isdigit(hmsg->buf[i])); i++) {
+			for (; i < hmsg->req_end && (isdigit(hmsg->buf[i])) && maj < 65536; i++) {
 				maj = maj * 10;
 				maj = maj + (hmsg->buf[i]) - '0';
 			}
+                        if (maj >= 65536) {
+                            retcode = -1;
+                            goto finish;
+                        }
 			if (i >= hmsg->req_end) {
 				retcode = 0;
 				goto finish;
@@ -590,10 +594,14 @@ HttpParserParseReqLine(HttpParser *hmsg)
 			/* next should be one or more digits */
 			i++;
 			min = 0;
-			for (; i < hmsg->req_end && (isdigit(hmsg->buf[i])); i++) {
+			for (; i < hmsg->req_end && (isdigit(hmsg->buf[i])) && min < 65536; i++) {
 				min = min * 10;
 				min = min + (hmsg->buf[i]) - '0';
 			}
+                        if (min >= 65536) {
+                            retcode = -1;
+                            goto finish;
+                        }
 
 			/* Find whitespace, end of version */
 			hmsg->v_end = i;