File SQUID_2016_6.patch of Package squid.1316
------------------------------------------------------------
revno: 12697
revision-id: squid3@treenet.co.nz-20160420111636-ft1dbd1iuktj8ift
parent: squid3@treenet.co.nz-20160420101500-nm50i4u3iftemzs6
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.3
timestamp: Wed 2016-04-20 23:16:36 +1200
message:
Fix several ESI element construction issues
* Do not wrap active logic in assert().
* Fix localbuf array bounds checking.
* Add Must() conditions to verify array writes will succeed
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20160420111636-ft1dbd1iuktj8ift
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3
# testament_sha1: 51aac9164cc49f99fb4332cec62403e3500433fd
# timestamp: 2016-04-20 11:21:10 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3
# base_revision_id: squid3@treenet.co.nz-20160420101500-\
# nm50i4u3iftemzs6
#
# Begin patch
=== modified file 'src/esi/Esi.cc'
--- src/esi/Esi.cc 2013-01-02 03:44:55 +0000
+++ src/esi/Esi.cc 2016-04-20 11:16:36 +0000
@@ -1007,7 +1007,7 @@
ESIElement::Pointer element;
int specifiedattcount = attrCount * 2;
char *position;
- assert (ellen < sizeof (localbuf)); /* prevent unexpected overruns. */
+ Must(ellen < sizeof(localbuf)); /* prevent unexpected overruns. */
debugs(86, 5, "ESIContext::Start: element '" << el << "' with " << specifiedattcount << " tags");
@@ -1021,15 +1021,17 @@
/* Spit out elements we aren't interested in */
localbuf[0] = '<';
localbuf[1] = '\0';
- assert (xstrncpy (&localbuf[1], el, sizeof(localbuf) - 2));
+ xstrncpy(&localbuf[1], el, sizeof(localbuf) - 2);
position = localbuf + strlen (localbuf);
for (i = 0; i < specifiedattcount && attr[i]; i += 2) {
+ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 1);
*position = ' ';
++position;
/* TODO: handle thisNode gracefully */
- assert (xstrncpy (position, attr[i], sizeof(localbuf) + (position - localbuf)));
+ xstrncpy(position, attr[i], sizeof(localbuf) - (position - localbuf));
position += strlen (position);
+ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 2);
*position = '=';
++position;
*position = '\"';
@@ -1038,18 +1040,21 @@
char ch;
while ((ch = *chPtr++) != '\0') {
if (ch == '\"') {
- assert( xstrncpy(position, """, sizeof(localbuf) + (position-localbuf)) );
+ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 6);
+ xstrncpy(position, """, sizeof(localbuf) - (position-localbuf));
position += 6;
} else {
+ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 1);
*position = ch;
++position;
}
}
- position += strlen (position);
+ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 1);
*position = '\"';
++position;
}
+ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 2);
*position = '>';
++position;
*position = '\0';
@@ -1135,11 +1140,11 @@
switch (ESIElement::IdentifyElement (el)) {
case ESIElement::ESI_ELEMENT_NONE:
- assert (ellen < sizeof (localbuf)); /* prevent unexpected overruns. */
+ Must(ellen < sizeof(localbuf) - 3); /* prevent unexpected overruns. */
/* Add elements we aren't interested in */
localbuf[0] = '<';
localbuf[1] = '/';
- assert (xstrncpy (&localbuf[2], el, sizeof(localbuf) - 3));
+ xstrncpy(&localbuf[2], el, sizeof(localbuf) - 3);
position = localbuf + strlen (localbuf);
*position = '>';
++position;
