From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Sat, 9 May 2015 11:24:04 +0000 (-0700)
Subject: Fix assertion MemBuf.cc:380: "new_cap > (size_t) capacity" in SSL I/O buffer
X-Git-Tag: SQUID_3_5_5~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b31d6563c861e429e8e73d59dd8523618c823fec;p=thirdparty%2Fsquid.git

Fix assertion MemBuf.cc:380: "new_cap > (size_t) capacity" in SSL I/O buffer

The maximum buffer size for holding Server and Client SSL hello messages is only
16k which is not enough hold a Hello message which includes some extensions and
1-2 or more Certificates.
This patch increases the maximum size to 65535 and also adds some checks to
avoid squid crashes in the case the hello messages buffer overflows.

This is a Measurement Factory project
---

diff --git a/src/ssl/bio.cc b/src/ssl/bio.cc
index 9a78619479..564229e0a3 100644
--- a/src/ssl/bio.cc
+++ b/src/ssl/bio.cc
@@ -148,6 +148,13 @@ Ssl::Bio::stateChanged(const SSL *ssl, int where, int ret)
            SSL_state_string(ssl) << " (" << SSL_state_string_long(ssl) << ")");
 }
 
+void
+Ssl::Bio::prepReadBuf()
+{
+    if (rbuf.isNull())
+        rbuf.init(4096, 65536);
+}
+
 bool
 Ssl::ClientBio::isClientHello(int state)
 {
@@ -196,14 +203,14 @@ int
 Ssl::ClientBio::read(char *buf, int size, BIO *table)
 {
     if (helloState < atHelloReceived) {
-
-        if (rbuf.isNull())
-            rbuf.init(1024, 16384);
+        prepReadBuf();
 
         size = rbuf.spaceSize() > size ? size : rbuf.spaceSize();
 
-        if (!size)
-            return 0;
+        if (!size) {
+            debugs(83, DBG_IMPORTANT, "Not enough space to hold client SSL hello message");
+            return -1;
+        }
 
         int bytes = Ssl::Bio::read(buf, size, table);
         if (bytes <= 0)
@@ -275,8 +282,13 @@ Ssl::ServerBio::read(char *buf, int size, BIO *table)
     int bytes = Ssl::Bio::read(buf, size, table);
 
     if (bytes > 0 && record_) {
-        if (rbuf.isNull())
-            rbuf.init(1024, 16384);
+        prepReadBuf();
+
+        if (rbuf.spaceSize() < bytes) {
+            debugs(83, DBG_IMPORTANT, "Not enough space to hold server hello message");
+            return -1;
+        }
+
         rbuf.append(buf, bytes);
         debugs(83, 5, "Record is enabled store " << bytes << " bytes");
     }
diff --git a/src/ssl/bio.h b/src/ssl/bio.h
index 9fc6c9332a..b6c14e6cdd 100644
--- a/src/ssl/bio.h
+++ b/src/ssl/bio.h
@@ -110,6 +110,9 @@ public:
     /// Tells ssl connection to use BIO and monitor state via stateChanged()
     static void Link(SSL *ssl, BIO *bio);
 
+    /// Prepare the rbuf buffer to accept hello data
+    void prepReadBuf();
+
     const MemBuf &rBufData() {return rbuf;}
 protected:
     const int fd_; ///< the SSL socket we are reading and writing