[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-dev
Subject: Re: [squid-dev] [PATCH] snprintf result used without validating its range
From: Amos Jeffries <squid3 () treenet ! co ! nz>
Date: 2016-02-10 10:59:16
Message-ID: 56BB1804.3020304 () treenet ! co ! nz
[Download RAW message or body]
On 10/02/2016 6:25 a.m., Yuriy M. Kaminskiy wrote:
> In several cases, snprintf result was used without validating its range.
>
> When formatted string would overflow buffer or error happens, snprintf
> will return either value larger than buffer size, or -1. In both cases,
> if you add this value to pointer (or similar), bad things will happen.
>
> Pattern to watch for: =.*snprintf
>
> I have not verified if any of this is exploitable. In some cases, I was
> not sure about proper error handling (watch for XXX comments).
>
> While fixing this error, I noticed typo in Ip::Qos::Config::dumpConfigLine:
> markMissMask was used instead of tosMissMask.
>
> Patches compile-tested (however, only on linux/x86/gcc49 and in default
> configuration).
>
>
I've merge this one immediately:
> squid-3.5.13-fix-typo.patch
> Index: squid-3.5.13/src/ip/QosConfig.cc
The rest are going to take a bit of reviw for portability and other
compilers. I have vague recollections of something about that -1 and
portability when I looked into it years ago.
Amos
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic