[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-dev
Subject: (possible?) bugfix for squid-3.0
From: garana () uolsinectis ! com ! ar
Date: 2004-03-12 14:47:29
Message-ID: 20040312114729.51697cf3.garana () uolsinectis ! com ! ar
[Download RAW message or body]
Hi,
The patch attached fixes a possible bug:
in pconn.cc:314 there is a call to strncpy, but xstrncpy should be used, since strcmp \
is used for key comparison (pconn.cc:231).
pconnKey:
snprintf(buf, SQUIDHOSTNAMELEN * 2 + 10, ....);
pconnPop:
strncpy(key, pconnKey(host, port, domain), SQUIDHOSTNAMELEN + 10);
so, there is a chance that 'key' isn't actually zero terminated, which is a problem \
since strcmp is used in key comparison.
There are other strncpy calls that seem dangerous:
src/neighbors.cc:904
src/tools.cc:1221
I didn't came across yet with a bug in theese calls, though.
This could explain some of the memory corruption (in really long hostname lengths).
Hope this helps,
--
Gonzalo Arana
Ingenieria
UOLSinectis
Florida 537 Piso 6, Buenos Aires, Argentina
+54-11-4321-9110 ext 2543
http://www.uolsinectis.com.ar/
["squid-strncpy-bug.patch" (text/plain)]
diff -bur squid-3.0-PRE3-20040302-ori/src/pconn.cc squid-3.0-PRE3-20040302/src/pconn.cc
--- squid-3.0-PRE3-20040302-ori/src/pconn.cc Sat Aug 16 07:04:34 2003
+++ squid-3.0-PRE3-20040302/src/pconn.cc Thu Mar 11 17:32:23 2004
@@ -262,7 +262,7 @@
}
assert(table != NULL);
- strncpy(key, pconnKey(host, port, domain), SQUIDHOSTNAMELEN + 10);
+ xstrncpy(key, pconnKey(host, port, domain), SQUIDHOSTNAMELEN + 10);
p = (struct _pconn *) hash_lookup(table, key);
@@ -310,7 +310,7 @@
int fd = -1;
LOCAL_ARRAY(char, key, SQUIDHOSTNAMELEN + 10);
assert(table != NULL);
- strncpy(key, pconnKey(host, port, domain), SQUIDHOSTNAMELEN + 10);
+ xstrncpy(key, pconnKey(host, port, domain), SQUIDHOSTNAMELEN + 10);
hptr = (hash_link *)hash_lookup(table, key);
if (hptr != NULL) {
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic