author  April Chin <april.chin@oracle.com> 
Wed, 11 Dec 2013 14:12:16 0800  
changeset 1592  1b2aaf6ad5a7 
permissions  rwrr 
1592
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

1 
Fix for CVE20134115 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

2 

1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

3 
Buffer overflow in the idnsALookup function in dns_internal.cc in Squid 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

4 
3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

5 
cause a denial of service (memory corruption and server termination) 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

6 
via a long name in a DNS lookup request. 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

7 

1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

8 
See http://www.squidcache.org/Advisories/SQUID2013_2.txt 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

9 

1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

10 
The patch comes from 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

11 
http://www.squidcache.org/Versions/v3/3.1/changesets/squid3.110487.patch 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

12 

1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

13 
 squid3.1.23orig/src/dns_internal.cc 20130108 18:15:21.000000000 0800 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

14 
+++ squid3.1.23/src/dns_internal.cc 20131210 14:09:08.983526000 0800 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

15 
@@ 1532,22 +1532,26 @@ 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

16 
void 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

17 
idnsALookup(const char *name, IDNSCB * callback, void *data) 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

18 
{ 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

19 
 unsigned int i; 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

20 
 int nd = 0; 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

21 
 idns_query *q; 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

22 
+ size_t nameLength = strlen(name); 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

23 

1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

24 
 if (idnsCachedLookup(name, callback, data)) 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

25 
+ // Prevent buffer overflow on q>name 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

26 
+ if (nameLength > NS_MAXDNAME) { 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

27 
+ debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details."); 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

28 
+ callback(data, NULL, 0, "Internal error"); 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

29 
return; 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

30 
+ } 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

31 

1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

32 
 q = cbdataAlloc(idns_query); 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

33 
+ if (idnsCachedLookup(name, callback, data)) 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

34 
+ return; 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

35 

1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

36 
+ idns_query *q = cbdataAlloc(idns_query); 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

37 
q>id = idnsQueryID(); 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

38 
 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

39 
 for (i = 0; i < strlen(name); i++) 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

40 
+ int nd = 0; 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

41 
+ for (unsigned int i = 0; i < nameLength; ++i) 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

42 
if (name[i] == '.') 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

43 
nd++; 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

44 

1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

45 
 if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)1] != '.') { 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

46 
+ if (Config.onoff.res_defnames && npc > 0 && name[nameLength1] != '.') { 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

47 
q>do_searchpath = 1; 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

48 
} else { 
1b2aaf6ad5a7
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset

49 
q>do_searchpath = 0; 