Re: Re: squid-3.0.STABLE26: bug 3113: Squid can eat far too much memory when uploading files

>> a) Does anyone have a backport for this bug to squid-3.0?
>> The fix is commited on squid-3.1 and squid-3.2 but a patch does not
>> appear to be avaiable
>> for squid-3.0.
>
> 3.0 is obsolete and this is a minor DoS vulnerability only opened as
> a vulnerability at all by recent browser changes.

It's not the DoS vulnerability that is a/the problem for me/us.
A side effect of this bug is that it can cause read timeouts when
chaining proxies.
(That is: browser -> squid1 -> squid2 -> internet. The connection
between the browser and squid1 is fast, the connection between squid1
and squid2 is fast, the connection between squid2 and the internet is
slow. When a large POST is done then it can trigger the read timeout
in the first proxy)

[We are in the process of upgrading to a more recent version of squid
but that's blocked by other factors (unrelated to squid)]

> If you can verify that the port works without additional side
> effects I'm happy to apply it to the 3.0 branch for a snapshot update.

The 'without additional side effect' is the bit that is difficult to answer...
For now only test systems have been patched but no production system yet.
I'll post to the list when all production systems are upgraded and
when/if we noticed any new problems.

>> b) Assuming the answer to question 'a)' is no:
>> Is anyone able/willing to review the attached patch?
>> This is a backport (or at least an attmept) to squid-3.0.
>>
>> The 'patch' is based on:
>> * http://bugs.squid-cache.org/attachment.cgi?id=2327 - "Possible fix,
>> fourth iteration"
>> * http://bazaar.launchpad.net/~squid/squid/3.1/revision/10171 - "Bug
>> 3113: Squid can eat far too much memory when uploading files"
>>
>> [I obviously tested this and everything appears to be working but a
>> review would be appreciated]
>
> Seems okay for the bits it is changing. It is missing the
> cache_cf.cc config file input validation hunk which can be seen at
> the top of the bzr patch though.

Are you looking at the patch attached to my previous mail? It should
be at the top of it..

Inline version:
"
diff -Naur squid-3.0.STABLE26.orig/src/cache_cf.cc
squid-3.0.STABLE26/src/cache_cf.cc
--- squid-3.0.STABLE26.orig/src/cache_cf.cc 2011-08-27
17:09:25.000000000 +0200
+++ squid-3.0.STABLE26/src/cache_cf.cc 2011-12-21 23:25:56.000000000 +0100
@@ -700,6 +700,14 @@
      }

  #endif
+
+ // prevent infinite fetch loops in the request parser
+ // due to buffer full but not enough data recived to finish parse
+ if (Config.maxRequestBufferSize <= Config.maxRequestHeaderSize) {
+ fatalf("Client request buffer of %u bytes cannot hold a
request with %u bytes of headers." \
+ " Change client_request_buffer_max or
request_header_max_size limits.",
+ (uint32_t)Config.maxRequestBufferSize,
(uint32_t)Config.maxRequestHeaderSize);
+ }
  }
"

Best regards,

Bram
Received on Thu Jan 05 2012 - 08:10:30 MST