Sophie: squid-3.2.10-1.6.mga3 src

squid-3.2.10-1.6.mga3.src.rpm

------------------------------------------------------------
revno: 11823
revision-id: squid3@treenet.co.nz-20130710124505-g0e8esasxasgsrvw
parent: squid3@treenet.co.nz-20130520060224-upc98530u9iq0tro
author: Nathan Hoad <nathan@getoffmalawn.com>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.2
timestamp: Wed 2013-07-10 06:45:05 -0600
message:
  Protect against buffer overrun in DNS query generation
  
  see SQUID-2013:2.
  
  This bug has been present as long as the internal DNS component however
  most code reaching this point is passing through URL validation first.
  With Squid-3.2 Host header verification using DNS directly we may have
  problems.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20130710124505-g0e8esasxasgsrvw
# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
#   /SQUID_3_2
# testament_sha1: 673e11100b7775ee7221e56b8e60ea0a52af4639
# timestamp: 2013-07-10 12:49:26 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
#   /SQUID_3_2
# base_revision_id: squid3@treenet.co.nz-20130520060224-\
#   upc98530u9iq0tro
# 
# Begin patch
=== modified file 'src/dns_internal.cc'
--- src/dns_internal.cc	2012-11-30 13:34:49 +0000
+++ src/dns_internal.cc	2013-07-10 12:45:05 +0000
@@ -1660,23 +1660,29 @@
 void
 idnsALookup(const char *name, IDNSCB * callback, void *data)
 {
-    unsigned int i;
+    size_t nameLength = strlen(name);
+
+    // Prevent buffer overflow on q->name
+    if (nameLength > NS_MAXDNAME) {
+        debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details.");
+        callback(data, NULL, 0, "Internal error");
+        return;
+    }
+
+    if (idnsCachedLookup(name, callback, data))
+        return;
+
+    idns_query *q = cbdataAlloc(idns_query);
+    // idns_query is POD so no constructors are called after allocation
+    q->xact_id.change();
+    q->query_id = idnsQueryID();
+
     int nd = 0;
-    idns_query *q;
-
-    if (idnsCachedLookup(name, callback, data))
-        return;
-
-    q = cbdataAlloc(idns_query);
-    // idns_query is POD so no constructors are called after allocation
-    q->xact_id.change();
-    q->query_id = idnsQueryID();
-
-    for (i = 0; i < strlen(name); ++i)
+    for (unsigned int i = 0; i < nameLength; ++i)
         if (name[i] == '.')
             ++nd;
 
-    if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') {
+    if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') {
         q->do_searchpath = 1;
     } else {
         q->do_searchpath = 0;