From 059faae39c9f19885fea4bf6e3b2b52c8c127b89 Mon Sep 17 00:00:00 2001
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Mon, 8 Sep 2025 14:43:54 +0000
Subject: [PATCH] Do not allow client_ip_max_connections+1 connections (#2168)

Previously, setting client_ip_max_connections to a non-negative N would
allow N+1 client connections, due to an off-by-one error.
---
 doc/release-notes/release-8.sgml.in | 9 +++++++++
 src/comm/TcpAcceptor.cc             | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/doc/release-notes/release-8.sgml.in b/doc/release-notes/release-8.sgml.in
index 4655df84a4..2c7a44edd1 100644
--- a/doc/release-notes/release-8.sgml.in
+++ b/doc/release-notes/release-8.sgml.in
@@ -95,6 +95,15 @@ This section gives an account of those changes in three categories:
 	<em>src_as</em> and <em>dst_as</em> ACLs, Squid no longer initiates ASN
 	lookups.
 
+	<tag>client_ip_max_connections</tag>
+
+	<p>Fixed off-by-one enforcement. Squid now allows at most <em>N</em>
+	concurrent connections per client IP (not <em>N</em>+1), where <em>N</em>
+	is the configured directive value. Deployments that relied on the extra
+	connection should increase the configured limit by one to preserve
+	previous behavior.
+
+
 </descrip>
 
 <sect1>Removed directives<label id="removeddirectives">
diff --git a/src/comm/TcpAcceptor.cc b/src/comm/TcpAcceptor.cc
index bdf3b04b36..e657e4d90d 100644
--- a/src/comm/TcpAcceptor.cc
+++ b/src/comm/TcpAcceptor.cc
@@ -414,7 +414,7 @@ Comm::TcpAcceptor::acceptInto(Comm::ConnectionPointer &details)
     details->nfConnmark = Ip::Qos::getNfConnmark(details, Ip::Qos::dirAccepted);
 
     if (Config.client_ip_max_connections >= 0) {
-        if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) {
+        if (clientdbEstablished(details->remote, 0) >= Config.client_ip_max_connections) {
             debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections.");
             return false;
         }
-- 
2.47.3