author | Petr Nyc <Petr.Nyc@Oracle.COM> |
Wed, 14 Jan 2015 05:09:18 -0800 | |
branch | s11u2-sru |
changeset 3634 | 876d5cc0531a |
parent 2852 | 3efbc4884df3 |
permissions | -rw-r--r-- |
2852
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
1 |
Fix for CVE-2013-4115 |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
2 |
|
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
3 |
Buffer overflow in the idnsALookup function in dns_internal.cc in Squid |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
4 |
3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
5 |
cause a denial of service (memory corruption and server termination) |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
6 |
via a long name in a DNS lookup request. |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
7 |
|
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
8 |
See http://www.squid-cache.org/Advisories/SQUID-2013_2.txt |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
9 |
|
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
10 |
The patch comes from |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
11 |
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10487.patch |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
12 |
|
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
13 |
--- squid-3.1.23-orig/src/dns_internal.cc 2013-01-08 18:15:21.000000000 -0800 |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
14 |
+++ squid-3.1.23/src/dns_internal.cc 2013-12-10 14:09:08.983526000 -0800 |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
15 |
@@ -1532,22 +1532,26 @@ |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
16 |
void |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
17 |
idnsALookup(const char *name, IDNSCB * callback, void *data) |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
18 |
{ |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
19 |
- unsigned int i; |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
20 |
- int nd = 0; |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
21 |
- idns_query *q; |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
22 |
+ size_t nameLength = strlen(name); |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
23 |
|
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
24 |
- if (idnsCachedLookup(name, callback, data)) |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
25 |
+ // Prevent buffer overflow on q->name |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
26 |
+ if (nameLength > NS_MAXDNAME) { |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
27 |
+ debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details."); |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
28 |
+ callback(data, NULL, 0, "Internal error"); |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
29 |
return; |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
30 |
+ } |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
31 |
|
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
32 |
- q = cbdataAlloc(idns_query); |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
33 |
+ if (idnsCachedLookup(name, callback, data)) |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
34 |
+ return; |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
35 |
|
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
36 |
+ idns_query *q = cbdataAlloc(idns_query); |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
37 |
q->id = idnsQueryID(); |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
38 |
- |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
39 |
- for (i = 0; i < strlen(name); i++) |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
40 |
+ int nd = 0; |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
41 |
+ for (unsigned int i = 0; i < nameLength; ++i) |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
42 |
if (name[i] == '.') |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
43 |
nd++; |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
44 |
|
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
45 |
- if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') { |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
46 |
+ if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') { |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
47 |
q->do_searchpath = 1; |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
48 |
} else { |
3efbc4884df3
17471743 problem in UTILITY/SQUID
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
49 |
q->do_searchpath = 0; |