[squid-dev] [PATCH] snprintf result used without validating its range
Amos Jeffries
squid3 at treenet.co.nz
Wed Feb 10 10:59:16 UTC 2016
On 10/02/2016 6:25 a.m., Yuriy M. Kaminskiy wrote:
> In several cases, snprintf result was used without validating its range.
>
> When formatted string would overflow buffer or error happens, snprintf
> will return either value larger than buffer size, or -1. In both cases,
> if you add this value to pointer (or similar), bad things will happen.
>
> Pattern to watch for: =.*snprintf
>
> I have not verified if any of this is exploitable. In some cases, I was
> not sure about proper error handling (watch for XXX comments).
>
> While fixing this error, I noticed typo in Ip::Qos::Config::dumpConfigLine:
> markMissMask was used instead of tosMissMask.
>
> Patches compile-tested (however, only on linux/x86/gcc49 and in default
> configuration).
>
>
I've merge this one immediately:
> squid-3.5.13-fix-typo.patch
> Index: squid-3.5.13/src/ip/QosConfig.cc
The rest are going to take a bit of reviw for portability and other
compilers. I have vague recollections of something about that -1 and
portability when I looked into it years ago.
Amos
More information about the squid-dev
mailing list