hno squid-2.3.STABLE1.http_reply_null_character.patch

Squid-2.3.STABLE1: Handle NULL characters in the server reply headers

Squid failed to detect the end of the servers HTTP headers if the server
wrongly responds with headers containing a NULL character. This could
cause abnormal amount of used cache_mem during the request. (the server
in question was mp3 streaming, virtuallu unlimited in size)

diff --git a/ChangeLog b/ChangeLog
index 26ae7a0f2e908a2377ada8acd244a2dc768bbc42..c73c8376ef23c57d0edc884a2c3b8e9e9423779b 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -53,6 +53,8 @@ Changes to Squid-2.4.DEVEL3 ():
        - squid.conf.default now indicates if a directive isn't enabled in
          the installed binary, and what configure option to use for enabling it
        - Fixed a temporary memory leak on persistent POSTs
+       - Fixed a temporary memory leak when the server response headers
+         includes NULL characters
 
 Changes to Squid-2.4.DEVEL2 ():
 

diff --git a/src/http.cc b/src/http.cc
index b1ed674d746d5edc2ab74472c22d5b4ca3b92053..95f8e32192b6d934a8035ba2e04cb57e2d3b8187 100644 (file)
--- a/src/http.cc
+++ b/src/http.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: http.cc,v 1.358 2000/05/02 18:51:51 hno Exp $
+ * $Id: http.cc,v 1.359 2000/05/02 21:21:08 hno Exp $
  *
  * DEBUG: section 11    Hypertext Transfer Protocol (HTTP)
  * AUTHOR: Harvest Derived
@@ -327,10 +327,12 @@ httpProcessReplyHeader(HttpStateData * httpState, const char *buf, int size)
     if (httpState->reply_hdr == NULL)
        httpState->reply_hdr = memAllocate(MEM_8K_BUF);
     assert(httpState->reply_hdr_state == 0);
-    hdr_len = strlen(httpState->reply_hdr);
+    hdr_len = httpState->reply_hdr_size;
     room = 8191 - hdr_len;
-    strncat(httpState->reply_hdr, buf, room < size ? room : size);
+    memcpy(httpState->reply_hdr + hdr_len, buf, room < size ? room : size);
     hdr_len += room < size ? room : size;
+    httpState->reply_hdr[hdr_len] = '\0';
+    httpState->reply_hdr_size = hdr_len;
     if (hdr_len > 4 && strncmp(httpState->reply_hdr, "HTTP/", 5)) {
        debug(11, 3) ("httpProcessReplyHeader: Non-HTTP-compliant header: '%s'\n", httpState->reply_hdr);
        httpState->reply_hdr_state += 2;
@@ -340,9 +342,17 @@ httpProcessReplyHeader(HttpStateData * httpState, const char *buf, int size)
     t = httpState->reply_hdr + hdr_len;
     /* headers can be incomplete only if object still arriving */
     if (!httpState->eof) {
-       size_t k = headersEnd(httpState->reply_hdr, 8192);
-       if (0 == k)
-           return;             /* headers not complete */
+       size_t k = headersEnd(httpState->reply_hdr, hdr_len);
+       if (0 == k) {
+           if (hdr_len >= 8191 || room == 0) {
+               debug(11, 3) ("httpProcessReplyHeader: Too large HTTP header: '%s'\n", httpState->reply_hdr);
+               httpState->reply_hdr_state += 2;
+               reply->sline.status = HTTP_INVALID_HEADER;
+               return;
+           } else {
+               return;         /* headers not complete */
+           }
+       }
        t = httpState->reply_hdr + k;
     }
     *t = '\0';

diff --git a/src/structs.h b/src/structs.h
index da498ad74800b97cdffead6c25a249f5dfcbfa73..76debdfecdc33ca306966b1433d552e5136fd12c 100644 (file)
--- a/src/structs.h
+++ b/src/structs.h
@@ -1,6 +1,6 @@
 
 /*
- * $Id: structs.h,v 1.326 2000/05/02 21:04:01 hno Exp $
+ * $Id: structs.h,v 1.327 2000/05/02 21:21:09 hno Exp $
  *
  *
  * SQUID Internet Object Cache  http://squid.nlanr.net/Squid/
@@ -778,6 +778,7 @@ struct _HttpStateData {
     StoreEntry *entry;
     request_t *request;
     char *reply_hdr;
+    size_t reply_hdr_size;
     int reply_hdr_state;
     peer *peer;                        /* peer request made to */
     int eof;                   /* reached end-of-object? */