File squid-3.1.12-bnc715171-CVE-2011-3205.patch of Package squid3.import5582
------------------------------------------------------------
revno: 10363
revision-id: squid3@treenet.co.nz-20110827123251-pv05hzp2c3eqsfo7
parent: squid3@treenet.co.nz-20110827103801-7t58le1xf97991l0
author: Henrik Nordstrom <henrik@henriknordstrom.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: SQUID_3_1
timestamp: Sat 2011-08-27 06:32:51 -0600
message:
Correct parsing of large Gopher indexes
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20110827123251-pv05hzp2c3eqsfo7
# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
# /SQUID_3_1/
# testament_sha1: 501b014e543aacb1eb458696e59e7122c408c3a6
# timestamp: 2011-08-27 12:53:09 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
# /SQUID_3_1
# base_revision_id: squid3@treenet.co.nz-20110827103801-\
# 7t58le1xf97991l0
#
# Begin patch
=== modified file 'src/gopher.cc'
--- src/gopher.cc 2010-08-18 01:38:05 +0000
+++ src/gopher.cc 2011-08-27 12:32:51 +0000
@@ -425,7 +425,6 @@
return;
}
- inbuf[len] = '\0';
String outbuf;
if (!gopherState->HTML_header_added) {
@@ -441,75 +440,48 @@
gopherState->HTML_pre = 1;
}
- while ((pos != NULL) && (pos < inbuf + len)) {
-
+ while (pos < inbuf + len) {
+ int llen;
+ int left = len - (pos - inbuf);
+ lpos = (char *)memchr(pos, '\n', left);
+ if (lpos) {
+ lpos++; /* Next line is after \n */
+ llen = lpos - pos;
+ } else {
+ llen = left;
+ }
+ if (gopherState->len + llen >= TEMP_BUF_SIZE) {
+ debugs(10, 1, "GopherHTML: Buffer overflow. Lost some data on URL: " << entry->url() );
+ llen = TEMP_BUF_SIZE - gopherState->len - 1;
+ }
+ if (!lpos) {
+ /* there is no complete line in inbuf */
+ /* copy it to temp buffer */
+ /* note: llen is adjusted above */
+ xmemcpy(gopherState->buf + gopherState->len, pos, llen);
+ gopherState->len += llen;
+ break;
+ }
+ if (!lpos) {
+ /* there is no complete line in inbuf */
+ /* copy it to temp buffer */
+ /* note: llen is adjusted above */
+ xmemcpy(gopherState->buf + gopherState->len, pos, llen);
+ gopherState->len += llen;
+ break;
+ }
if (gopherState->len != 0) {
/* there is something left from last tx. */
- xstrncpy(line, gopherState->buf, gopherState->len + 1);
-
- if (gopherState->len + len > TEMP_BUF_SIZE) {
- debugs(10, 1, "GopherHTML: Buffer overflow. Lost some data on URL: " << entry->url() );
- len = TEMP_BUF_SIZE - gopherState->len;
- }
-
- lpos = (char *) memccpy(line + gopherState->len, inbuf, '\n', len);
-
- if (lpos)
- *lpos = '\0';
- else {
- /* there is no complete line in inbuf */
- /* copy it to temp buffer */
-
- if (gopherState->len + len > TEMP_BUF_SIZE) {
- debugs(10, 1, "GopherHTML: Buffer overflow. Lost some data on URL: " << entry->url() );
- len = TEMP_BUF_SIZE - gopherState->len;
- }
-
- xmemcpy(gopherState->buf + gopherState->len, inbuf, len);
- gopherState->len += len;
- return;
- }
-
- /* skip one line */
- pos = (char *) memchr(pos, '\n', len);
-
- if (pos)
- pos++;
-
- /* we're done with the remain from last tx. */
+ xmemcpy(line, gopherState->buf, gopherState->len);
+ xmemcpy(line + gopherState->len, pos, llen);
+ llen += gopherState->len;
gopherState->len = 0;
-
- *(gopherState->buf) = '\0';
} else {
-
- lpos = (char *) memccpy(line, pos, '\n', len - (pos - inbuf));
-
- if (lpos)
- *lpos = '\0';
- else {
- /* there is no complete line in inbuf */
- /* copy it to temp buffer */
-
- if ((len - (pos - inbuf)) > TEMP_BUF_SIZE) {
- debugs(10, 1, "GopherHTML: Buffer overflow. Lost some data on URL: " << entry->url() );
- len = TEMP_BUF_SIZE;
- }
-
- if (len > (pos - inbuf)) {
- xmemcpy(gopherState->buf, pos, len - (pos - inbuf));
- gopherState->len = len - (pos - inbuf);
- }
-
- break;
- }
-
- /* skip one line */
- pos = (char *) memchr(pos, '\n', len);
-
- if (pos)
- pos++;
-
+ xmemcpy(line, pos, llen);
}
+ line[llen + 1] = '\0';
+ /* move input to next line */
+ pos = lpos;
/* at this point. We should have one line in buffer to process */
