From: Francesco Chemolli <5175948+kinkie@users.noreply.github.com>
Date: Sun, 2 Jun 2024 14:41:16 +0000 (+0000)
Subject: Bug 5378: type mismatch in libTrie (#1830)
X-Git-Tag: SQUID_6_10~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67f5496f7b72e698ad0f5aa3512c83089424f27f;p=thirdparty%2Fsquid.git

Bug 5378: type mismatch in libTrie (#1830)

TrieNode::add() incorrectly computed an offset of an internal data
structure, resulting in out-of-bounds memory accesses that could cause
corruption or crashes.

This bug was discovered and detailed by Joshua Rogers at
https://megamansec.github.io/Squid-Security-Audit/esi-underflow.html
where it was filed as "Buffer Underflow in ESI".
---

diff --git a/lib/libTrie/TrieNode.cc b/lib/libTrie/TrieNode.cc
index 0f991a06d3..d417e0f544 100644
--- a/lib/libTrie/TrieNode.cc
+++ b/lib/libTrie/TrieNode.cc
@@ -32,7 +32,7 @@ TrieNode::add(char const *aString, size_t theLength, void *privatedata, TrieChar
     /* We trust that privatedata and existent keys have already been checked */
 
     if (theLength) {
-        int index = transform ? (*transform)(*aString): *aString;
+        const unsigned char index = transform ? (*transform)(*aString): *aString;
 
         if (!internal[index])
             internal[index] = new TrieNode;