[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-dev
Subject:    Re: [squid-dev] [PATCH] snprintf result used without validating its range
From:       Amos Jeffries <squid3 () treenet ! co ! nz>
Date:       2016-02-10 10:59:16
Message-ID: 56BB1804.3020304 () treenet ! co ! nz
[Download RAW message or body]

On 10/02/2016 6:25 a.m., Yuriy M. Kaminskiy wrote:
> In several cases, snprintf result was used without validating its range.
> 
> When formatted string would overflow buffer or error happens, snprintf
> will return either value larger than buffer size, or -1. In both cases,
> if you add this value to pointer (or similar), bad things will happen.
> 
> Pattern to watch for: =.*snprintf
> 
> I have not verified if any of this is exploitable. In some cases, I was
> not sure about proper error handling (watch for XXX comments).
> 
> While fixing this error, I noticed typo in Ip::Qos::Config::dumpConfigLine:
> markMissMask was used instead of tosMissMask.
> 
> Patches compile-tested (however, only on linux/x86/gcc49 and in default
> configuration).
> 
> 

I've merge this one immediately:

> squid-3.5.13-fix-typo.patch
> Index: squid-3.5.13/src/ip/QosConfig.cc


The rest are going to take a bit of reviw for portability and other
compilers. I have vague recollections of something about that -1 and
portability when I looked into it years ago.

Amos

_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

[prev in list] [next in list] [prev in thread] [next in thread]