[squid-dev] [PATCH] snprintf result used without validating its range

Amos Jeffries squid3 at treenet.co.nz
Wed Feb 10 10:59:16 UTC 2016


On 10/02/2016 6:25 a.m., Yuriy M. Kaminskiy wrote:
> In several cases, snprintf result was used without validating its range.
> 
> When formatted string would overflow buffer or error happens, snprintf
> will return either value larger than buffer size, or -1. In both cases,
> if you add this value to pointer (or similar), bad things will happen.
> 
> Pattern to watch for: =.*snprintf
> 
> I have not verified if any of this is exploitable. In some cases, I was
> not sure about proper error handling (watch for XXX comments).
> 
> While fixing this error, I noticed typo in Ip::Qos::Config::dumpConfigLine:
> markMissMask was used instead of tosMissMask.
> 
> Patches compile-tested (however, only on linux/x86/gcc49 and in default
> configuration).
> 
> 

I've merge this one immediately:

> squid-3.5.13-fix-typo.patch
> Index: squid-3.5.13/src/ip/QosConfig.cc


The rest are going to take a bit of reviw for portability and other
compilers. I have vague recollections of something about that -1 and
portability when I looked into it years ago.

Amos



More information about the squid-dev mailing list