From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 30 Nov 2012 11:04:55 +0000 (-0700)
Subject: basic_smb_auth: Buffer overrun.
X-Git-Tag: SQUID_3_2_4~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=645c2c39f266f621dfc0ad66a9dc320cd5f7da03;p=thirdparty%2Fsquid.git

basic_smb_auth: Buffer overrun.

A reply string expanding to >8KB after shell escaping can cause the helper
memory corruption or crash as output buffer is overrun.

 Detected by Coverity Scan. Issue 740411
---

diff --git a/helpers/basic_auth/SMB/basic_smb_auth.cc b/helpers/basic_auth/SMB/basic_smb_auth.cc
index 70782802b8..b5777463ab 100644
--- a/helpers/basic_auth/SMB/basic_smb_auth.cc
+++ b/helpers/basic_auth/SMB/basic_smb_auth.cc
@@ -82,8 +82,12 @@ print_esc(FILE * p, char *s)
     char *t;
     int i = 0;
 
-    for (t = s; *t != '\0'; t++) {
-        if (i > HELPER_INPUT_BUFFER-2) {
+    for (t = s; *t != '\0'; ++t) {
+        /*
+         * NP: The shell escaping permits 'i' to jump up to 2 octets per loop,
+         *     so ensure we have at least 3 free.
+         */
+        if (i > HELPER_INPUT_BUFFER-3) {
             buf[i] = '\0';
             (void) fputs(buf, p);
             i = 0;