--------------------- PatchSet 12432 Date: 2009/02/02 11:13:24 Author: hno Branch: SQUID_2_7 Tag: (none) Log: Fixup parsing of invalid version numbers Members: src/HttpMsg.c:1.17->1.17.2.1 src/HttpStatusLine.c:1.31->1.31.2.1 Index: squid/src/HttpMsg.c =================================================================== RCS file: /cvsroot/squid/squid/src/HttpMsg.c,v retrieving revision 1.17 retrieving revision 1.17.2.1 diff -u -r1.17 -r1.17.2.1 --- squid/src/HttpMsg.c 13 Dec 2007 01:20:48 -0000 1.17 +++ squid/src/HttpMsg.c 2 Feb 2009 11:13:24 -0000 1.17.2.1 @@ -1,6 +1,6 @@ /* - * $Id: HttpMsg.c,v 1.17 2007/12/13 01:20:48 hno Exp $ + * $Id: HttpMsg.c,v 1.17.2.1 2009/02/02 11:13:24 hno Exp $ * * DEBUG: section 74 HTTP Message * AUTHOR: Alex Rousskov @@ -256,11 +256,11 @@ /* next should be 1 or more digits */ maj = 0; - for (; i < hmsg->req_end && (xisdigit(hmsg->buf[i])); i++) { + for (; i < hmsg->req_end && (xisdigit(hmsg->buf[i])) && maj < 65536; i++) { maj = maj * 10; maj = maj + (hmsg->buf[i]) - '0'; } - if (i >= hmsg->req_end) { + if (i >= hmsg->req_end || maj >= 65536) { retcode = -1; goto finish; } @@ -276,11 +276,14 @@ /* next should be one or more digits */ i++; min = 0; - for (; i < hmsg->req_end && (xisdigit(hmsg->buf[i])); i++) { + for (; i < hmsg->req_end && (xisdigit(hmsg->buf[i])) && min < 65536; i++) { min = min * 10; min = min + (hmsg->buf[i]) - '0'; } - + if (maj >= 65536) { + retcode = -1; + goto finish; + } /* Find whitespace, end of version */ hmsg->v_end = i; hmsg->v_len = hmsg->v_end - hmsg->v_start + 1; Index: squid/src/HttpStatusLine.c =================================================================== RCS file: /cvsroot/squid/squid/src/HttpStatusLine.c,v retrieving revision 1.31 retrieving revision 1.31.2.1 diff -u -r1.31 -r1.31.2.1 --- squid/src/HttpStatusLine.c 13 Dec 2007 01:20:48 -0000 1.31 +++ squid/src/HttpStatusLine.c 2 Feb 2009 11:13:24 -0000 1.31.2.1 @@ -1,6 +1,6 @@ /* - * $Id: HttpStatusLine.c,v 1.31 2007/12/13 01:20:48 hno Exp $ + * $Id: HttpStatusLine.c,v 1.31.2.1 2009/02/02 11:13:24 hno Exp $ * * DEBUG: section 57 HTTP Status-line * AUTHOR: Alex Rousskov @@ -97,11 +97,11 @@ /* Format: HTTP/x.x CRLF */ s = start; maj = 0; - for (s = start; s < end && xisdigit(*s); s++) { + for (s = start; s < end && xisdigit(*s) && maj < 65536; s++) { maj = maj * 10; maj = maj + *s - '0'; } - if (s >= end) { + if (s >= end || maj >= 65536) { debug(57, 7) ("httpStatusLineParse: Invalid HTTP reply status major.\n"); return 0; } @@ -113,11 +113,11 @@ s++; /* next should be minor number */ min = 0; - for (; s < end && xisdigit(*s); s++) { + for (; s < end && xisdigit(*s) && min < 65536; s++) { min = min * 10; min = min + *s - '0'; } - if (s >= end) { + if (s >= end || min >= 65536) { debug(57, 7) ("httpStatusLineParse: Invalid HTTP reply status version minor.\n"); return 0; }