Fix for CVE-2013-4115
Buffer overflow in the idnsALookup function in dns_internal.cc in Squid
3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to
cause a denial of service (memory corruption and server termination)
via a long name in a DNS lookup request.
See http://www.squid-cache.org/Advisories/SQUID-2013_2.txt
The patch comes from
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10487.patch
--- squid-3.1.23-orig/src/dns_internal.cc 2013-01-08 18:15:21.000000000 -0800
+++ squid-3.1.23/src/dns_internal.cc 2013-12-10 14:09:08.983526000 -0800
@@ -1532,22 +1532,26 @@
void
idnsALookup(const char *name, IDNSCB * callback, void *data)
{
- unsigned int i;
- int nd = 0;
- idns_query *q;
+ size_t nameLength = strlen(name);
- if (idnsCachedLookup(name, callback, data))
+ // Prevent buffer overflow on q->name
+ if (nameLength > NS_MAXDNAME) {
+ debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details.");
+ callback(data, NULL, 0, "Internal error");
return;
+ }
- q = cbdataAlloc(idns_query);
+ if (idnsCachedLookup(name, callback, data))
+ return;
+ idns_query *q = cbdataAlloc(idns_query);
q->id = idnsQueryID();
-
- for (i = 0; i < strlen(name); i++)
+ int nd = 0;
+ for (unsigned int i = 0; i < nameLength; ++i)
if (name[i] == '.')
nd++;
- if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') {
+ if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') {
q->do_searchpath = 1;
} else {
q->do_searchpath = 0;