components/squid/patches/CVE-2013-4115.patch
author April Chin <april.chin@oracle.com>
Wed, 11 Dec 2013 14:12:16 -0800
changeset 1592 1b2aaf6ad5a7
permissions -rw-r--r--
17471743 problem in UTILITY/SQUID
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
1592
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
     1
Fix for CVE-2013-4115
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
     2
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
     3
Buffer overflow in the idnsALookup function in dns_internal.cc in Squid
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
     4
3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
     5
cause a denial of service (memory corruption and server termination)
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
     6
via a long name in a DNS lookup request.
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
     7
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
     8
See http://www.squid-cache.org/Advisories/SQUID-2013_2.txt
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
     9
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    10
The patch comes from
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    11
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10487.patch
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    12
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    13
--- squid-3.1.23-orig/src/dns_internal.cc	2013-01-08 18:15:21.000000000 -0800
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    14
+++ squid-3.1.23/src/dns_internal.cc	2013-12-10 14:09:08.983526000 -0800
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    15
@@ -1532,22 +1532,26 @@
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    16
 void
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    17
 idnsALookup(const char *name, IDNSCB * callback, void *data)
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    18
 {
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    19
-    unsigned int i;
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    20
-    int nd = 0;
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    21
-    idns_query *q;
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    22
+    size_t nameLength = strlen(name);
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    23
 
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    24
-    if (idnsCachedLookup(name, callback, data))
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    25
+    // Prevent buffer overflow on q->name
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    26
+    if (nameLength > NS_MAXDNAME) {
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    27
+        debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details.");
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    28
+        callback(data, NULL, 0, "Internal error");
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    29
         return;
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    30
+    }
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    31
 
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    32
-    q = cbdataAlloc(idns_query);
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    33
+    if (idnsCachedLookup(name, callback, data))
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    34
+        return;
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    35
 
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    36
+    idns_query *q = cbdataAlloc(idns_query);
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    37
     q->id = idnsQueryID();
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    38
-
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    39
-    for (i = 0; i < strlen(name); i++)
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    40
+    int nd = 0;
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    41
+    for (unsigned int i = 0; i < nameLength; ++i)
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    42
         if (name[i] == '.')
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    43
             nd++;
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    44
 
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    45
-    if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') {
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    46
+    if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') {
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    47
         q->do_searchpath = 1;
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    48
     } else {
1b2aaf6ad5a7 17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff changeset
    49
         q->do_searchpath = 0;