File squid:bsc_929493:CVE-2015-3455.patch of Package squid.openSUSE_13.1_Update

------------------------------------------------------------
revno: 12690
revision-id: squid3@treenet.co.nz-20150501072150-vu3z63dervqgker2
parent: squid3@treenet.co.nz-20150501072107-r22x5azlu3sf49nk
author: Amos Jeffries <amosjeffries@squid-cache.org>, Christos Tsantilas <chtsanti@users.sourceforge.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.3
timestamp: Fri 2015-05-01 00:21:50 -0700
message:
  Fix X509 server certificate domain matching
  
  The X509 certificate domain fields may contain non-ASCII encodings.
  Ensure the domain match algorithm is only passed UTF-8 ASCII-compatible
  strings.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20150501072150-vu3z63dervqgker2
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3
# testament_sha1: 71f7464710595ffb8da41f6645ff84d45ce479ec
# timestamp: 2015-05-01 07:22:40 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3
# base_revision_id: squid3@treenet.co.nz-20150501072107-\
#   r22x5azlu3sf49nk
# 
# Begin patch
=== modified file 'src/ssl/support.cc'
--- src/ssl/support.cc	2013-09-11 01:53:34 +0000
+++ src/ssl/support.cc	2015-05-01 07:21:50 +0000
@@ -208,7 +208,13 @@
     if (cn_data->length > (int)sizeof(cn) - 1) {
         return 1; //if does not fit our buffer just ignore
     }
-    memcpy(cn, cn_data->data, cn_data->length);
+    char *s = reinterpret_cast<char*>(cn_data->data);
+    char *d = cn;
+    for (int i = 0; i < cn_data->length; ++i, ++d, ++s) {
+        if (*s == '\0')
+            return 1; // always a domain mismatch. contains 0x00
+        *d = *s;
+    }
     cn[cn_data->length] = '\0';
     debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn);
     return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn);