From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Thu, 17 Sep 2015 05:46:55 +0000 (-0700)
Subject: Bug 4309: Squid crashed when Skype login
X-Git-Tag: SQUID_3_5_9~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8c5570b0e582a4dc137f92ab376a5da5d8fa461;p=thirdparty%2Fsquid.git

Bug 4309: Squid crashed when Skype login

Do not assume that (char << 8) cannot overflow a short integer.
Be more consistent with storing certificate-related lengths.
---

diff --git a/src/ssl/bio.cc b/src/ssl/bio.cc
index 684afccd93..ac3d11059f 100644
--- a/src/ssl/bio.cc
+++ b/src/ssl/bio.cc
@@ -928,9 +928,9 @@ Ssl::Bio::sslFeatures::parseV3ServerHello(const unsigned char *hello, size_t siz
         pToExtensions += 2;
         const unsigned char *ext = pToExtensions;
         while (ext + 4 <= pToExtensions + extensionsLen) {
-            const short extType = (ext[0] << 8) | ext[1];
+            const size_t extType = (ext[0] << 8) | ext[1];
             ext += 2;
-            const short extLen = (ext[0] << 8) | ext[1];
+            const size_t extLen = (ext[0] << 8) | ext[1];
             ext += 2;
             debugs(83, 7, "TLS Extension: " << std::hex << extType << " of size:" << extLen);
             // SessionTicket TLS Extension, RFC5077 section 3.2
@@ -1036,9 +1036,9 @@ Ssl::Bio::sslFeatures::parseV3Hello(const unsigned char *hello, size_t size)
             pToExtensions += 2;
             const unsigned char *ext = pToExtensions;
             while (ext + 4 <= pToExtensions + extensionsLen) {
-                const short extType = (ext[0] << 8) | ext[1];
+                const size_t extType = (ext[0] << 8) | ext[1];
                 ext += 2;
-                const short extLen = (ext[0] << 8) | ext[1];
+                const size_t extLen = (ext[0] << 8) | ext[1];
                 ext += 2;
                 debugs(83, 7, "TLS Extension: " << std::hex << extType << " of size:" << extLen);
 
@@ -1053,8 +1053,9 @@ Ssl::Bio::sslFeatures::parseV3Hello(const unsigned char *hello, size_t size)
                 // The next byte is the hostname type, it should be '0' for normal hostname (ext[2] == 0)
                 // The 3rd and 4th bytes are the length of the hostname
                 if (extType == 0 && ext[2] == 0) {
-                    const int hostLen = (ext[3] << 8) | ext[4];
-                    serverName.assign((const char *)(ext+5), hostLen);
+                    const size_t hostLen = (ext[3] << 8) | ext[4];
+                    if (hostLen < extLen)
+                        serverName.assign((const char *)(ext+5), hostLen);
                     debugs(83, 7, "Found server name: " << serverName);
                 } else if (extType == 15 && ext[0] != 0) {
                     // The heartBeats are the type 15, RFC6520
@@ -1071,7 +1072,7 @@ Ssl::Bio::sslFeatures::parseV3Hello(const unsigned char *hello, size_t size)
                     // detected TLS next protocol negotiate extension
                 } else if (extType == 0x10) {
                     // Application-Layer Protocol Negotiation Extension, RFC7301
-                    const int listLen = (ext[0] << 8) | ext[1];
+                    const size_t listLen = (ext[0] << 8) | ext[1];
                     if (listLen < extLen)
                         tlsAppLayerProtoNeg.assign((const char *)(ext+5), listLen);
                 } else