[squid-dev] [PATCH] snprintf result used without validating its range
Yuriy M. Kaminskiy
yumkam at gmail.com
Tue Feb 9 17:25:30 UTC 2016
In several cases, snprintf result was used without validating its range.
When formatted string would overflow buffer or error happens, snprintf
will return either value larger than buffer size, or -1. In both cases,
if you add this value to pointer (or similar), bad things will happen.
Pattern to watch for: =.*snprintf
I have not verified if any of this is exploitable. In some cases, I was
not sure about proper error handling (watch for XXX comments).
While fixing this error, I noticed typo in Ip::Qos::Config::dumpConfigLine:
markMissMask was used instead of tosMissMask.
Patches compile-tested (however, only on linux/x86/gcc49 and in default
configuration).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: squid-3.5.13-fix-typo.patch
Type: text/x-diff
Size: 563 bytes
Desc: Fix typo in src/ip/QosConfig.cc (Ip::Qos::Config::dumpConfigLine)
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20160209/40212fdd/attachment-0002.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: squid-3.5.13-check-snprintf-value.patch
Type: text/x-diff
Size: 15352 bytes
Desc: [SECURITY] check snprintf return value before use
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20160209/40212fdd/attachment-0003.patch>
More information about the squid-dev
mailing list