17471743 problem in UTILITY/SQUID s11-update
authorApril Chin <april.chin@oracle.com>
Mon, 16 Dec 2013 13:24:42 -0800
branchs11-update
changeset 2852 3efbc4884df3
parent 2851 534bc67e643c
child 2853 f549a6950e55
17471743 problem in UTILITY/SQUID
components/squid/patches/CVE-2013-4115.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/squid/patches/CVE-2013-4115.patch	Mon Dec 16 13:24:42 2013 -0800
@@ -0,0 +1,49 @@
+Fix for CVE-2013-4115
+
+Buffer overflow in the idnsALookup function in dns_internal.cc in Squid
+3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to
+cause a denial of service (memory corruption and server termination)
+via a long name in a DNS lookup request.
+
+See http://www.squid-cache.org/Advisories/SQUID-2013_2.txt
+
+The patch comes from
+http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10487.patch
+
+--- squid-3.1.23-orig/src/dns_internal.cc	2013-01-08 18:15:21.000000000 -0800
++++ squid-3.1.23/src/dns_internal.cc	2013-12-10 14:09:08.983526000 -0800
[email protected]@ -1532,22 +1532,26 @@
+ void
+ idnsALookup(const char *name, IDNSCB * callback, void *data)
+ {
+-    unsigned int i;
+-    int nd = 0;
+-    idns_query *q;
++    size_t nameLength = strlen(name);
+ 
+-    if (idnsCachedLookup(name, callback, data))
++    // Prevent buffer overflow on q->name
++    if (nameLength > NS_MAXDNAME) {
++        debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details.");
++        callback(data, NULL, 0, "Internal error");
+         return;
++    }
+ 
+-    q = cbdataAlloc(idns_query);
++    if (idnsCachedLookup(name, callback, data))
++        return;
+ 
++    idns_query *q = cbdataAlloc(idns_query);
+     q->id = idnsQueryID();
+-
+-    for (i = 0; i < strlen(name); i++)
++    int nd = 0;
++    for (unsigned int i = 0; i < nameLength; ++i)
+         if (name[i] == '.')
+             nd++;
+ 
+-    if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') {
++    if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') {
+         q->do_searchpath = 1;
+     } else {
+         q->do_searchpath = 0;