From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sun, 18 Nov 2012 11:37:48 +0000 (-0700)
Subject: basic_smb_auth: Buffer overrun.
X-Git-Tag: SQUID_3_3_0_2~33
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=756c32d87fd124eacbaacd9e65bbb619d0007d08;p=thirdparty%2Fsquid.git

basic_smb_auth: Buffer overrun.

A reply string expanding to >8KB after shell escaping can cause the helper
memory corruption or crash as output buffer is overrun.

 Detected by Coverity Scan. Issue 740411
---

diff --git a/helpers/basic_auth/SMB/basic_smb_auth.cc b/helpers/basic_auth/SMB/basic_smb_auth.cc
index 568f0a6db6..c89dc4ea30 100644
--- a/helpers/basic_auth/SMB/basic_smb_auth.cc
+++ b/helpers/basic_auth/SMB/basic_smb_auth.cc
@@ -82,7 +82,11 @@ print_esc(FILE * p, char *s)
     int i = 0;
 
     for (t = s; *t != '\0'; ++t) {
-        if (i > HELPER_INPUT_BUFFER-2) {
+        /*
+         * NP: The shell escaping permits 'i' to jump up to 2 octets per loop,
+         *     so ensure we have at least 3 free.
+         */
+        if (i > HELPER_INPUT_BUFFER-3) {
             buf[i] = '\0';
             (void) fputs(buf, p);
             i = 0;