diff -u -r -N squid-3.2.11/ChangeLog squid-3.2.12/ChangeLog --- squid-3.2.11/ChangeLog 2013-04-30 16:47:06.000000000 +1200 +++ squid-3.2.12/ChangeLog 2013-07-11 17:25:44.000000000 +1200 @@ -1,4 +1,11 @@ +Changes to squid-3.2.12 (11 Jul 2013): + + - Protect against buffer overrun in DNS query generation + - Avoid !closing assertions when helpers call comm_read during reconfigure. + - Fix several minor memory leaks during reconfigure + - Remove origin_tries limiter on forwarding and permit large max_forward_tries values + Changes to squid-3.2.11 (30 Apr 2013): - Regression Bug 3839: build error: src/tools.h: No such file or directory diff -u -r -N squid-3.2.11/configure squid-3.2.12/configure --- squid-3.2.11/configure 2013-04-30 16:47:59.000000000 +1200 +++ squid-3.2.12/configure 2013-07-11 17:27:14.000000000 +1200 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.2.11. +# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.2.12. # # Report bugs to . # @@ -575,8 +575,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='3.2.11' -PACKAGE_STRING='Squid Web Proxy 3.2.11' +PACKAGE_VERSION='3.2.12' +PACKAGE_STRING='Squid Web Proxy 3.2.12' PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' PACKAGE_URL='' @@ -1571,7 +1571,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 3.2.11 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 3.2.12 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1641,7 +1641,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 3.2.11:";; + short | recursive ) echo "Configuration of Squid Web Proxy 3.2.12:";; esac cat <<\_ACEOF @@ -2019,7 +2019,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 3.2.11 +Squid Web Proxy configure 3.2.12 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. @@ -3115,7 +3115,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 3.2.11, which was +It was created by Squid Web Proxy $as_me 3.2.12, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -3934,7 +3934,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='3.2.11' + VERSION='3.2.12' cat >>confdefs.h <<_ACEOF @@ -30894,7 +30894,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 3.2.11, which was +This file was extended by Squid Web Proxy $as_me 3.2.12, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -30960,7 +30960,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 3.2.11 +Squid Web Proxy config.status 3.2.12 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" diff -u -r -N squid-3.2.11/configure.ac squid-3.2.12/configure.ac --- squid-3.2.11/configure.ac 2013-04-30 16:47:59.000000000 +1200 +++ squid-3.2.12/configure.ac 2013-07-11 17:27:14.000000000 +1200 @@ -1,4 +1,4 @@ -AC_INIT([Squid Web Proxy],[3.2.11],[http://bugs.squid-cache.org/],[squid]) +AC_INIT([Squid Web Proxy],[3.2.12],[http://bugs.squid-cache.org/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) diff -u -r -N squid-3.2.11/helpers/basic_auth/DB/basic_db_auth.8 squid-3.2.12/helpers/basic_auth/DB/basic_db_auth.8 --- squid-3.2.11/helpers/basic_auth/DB/basic_db_auth.8 2013-04-30 17:08:15.000000000 +1200 +++ squid-3.2.12/helpers/basic_auth/DB/basic_db_auth.8 2013-07-11 17:49:32.000000000 +1200 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 1" -.TH BASIC_DB_AUTH 1 "2013-04-29" "perl v5.10.1" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 1 "2013-07-10" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.2.11/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.2.12/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-3.2.11/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2013-04-30 17:08:19.000000000 +1200 +++ squid-3.2.12/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2013-07-11 17:49:34.000000000 +1200 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL.PL.IN 1" -.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-04-29" "perl v5.10.1" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-07-10" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.2.11/include/version.h squid-3.2.12/include/version.h --- squid-3.2.11/include/version.h 2013-04-30 16:47:59.000000000 +1200 +++ squid-3.2.12/include/version.h 2013-07-11 17:27:14.000000000 +1200 @@ -9,7 +9,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1367297224 +#define SQUID_RELEASE_TIME 1373520341 #endif #ifndef APP_SHORTNAME diff -u -r -N squid-3.2.11/RELEASENOTES.html squid-3.2.12/RELEASENOTES.html --- squid-3.2.11/RELEASENOTES.html 2013-04-30 17:08:31.000000000 +1200 +++ squid-3.2.12/RELEASENOTES.html 2013-07-11 17:49:40.000000000 +1200 @@ -1,11 +1,11 @@ - - Squid 3.2.11 release notes + + Squid 3.2.12 release notes -

Squid 3.2.11 release notes

+

Squid 3.2.12 release notes

Squid Developers

@@ -72,7 +72,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.2.11.

+

The Squid Team are pleased to announce the release of Squid-3.2.12.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.2/ or the mirrors.

diff -u -r -N squid-3.2.11/src/client_db.cc squid-3.2.12/src/client_db.cc --- squid-3.2.11/src/client_db.cc 2013-04-30 16:47:06.000000000 +1200 +++ squid-3.2.12/src/client_db.cc 2013-07-11 17:25:44.000000000 +1200 @@ -72,8 +72,9 @@ clientdbAdd(const Ip::Address &addr) { ClientInfo *c; - char *buf = new char[MAX_IPSTRLEN]; + char *buf = static_cast(xmalloc(MAX_IPSTRLEN)); // becomes hash.key c = (ClientInfo *)memAllocate(MEM_CLIENT_INFO); + debugs(77, 9, "ClientInfo constructed, this=" << c); c->hash.key = addr.NtoA(buf,MAX_IPSTRLEN); c->addr = addr; #if USE_DELAY_POOLS @@ -355,6 +356,7 @@ } #endif + debugs(77, 9, "ClientInfo destructed, this=" << c); memFree(c, MEM_CLIENT_INFO); } diff -u -r -N squid-3.2.11/src/dns_internal.cc squid-3.2.12/src/dns_internal.cc --- squid-3.2.11/src/dns_internal.cc 2013-04-30 16:47:06.000000000 +1200 +++ squid-3.2.12/src/dns_internal.cc 2013-07-11 17:25:44.000000000 +1200 @@ -1660,23 +1660,29 @@ void idnsALookup(const char *name, IDNSCB * callback, void *data) { - unsigned int i; - int nd = 0; - idns_query *q; + size_t nameLength = strlen(name); + + // Prevent buffer overflow on q->name + if (nameLength > NS_MAXDNAME) { + debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details."); + callback(data, NULL, 0, "Internal error"); + return; + } if (idnsCachedLookup(name, callback, data)) return; - q = cbdataAlloc(idns_query); + idns_query *q = cbdataAlloc(idns_query); // idns_query is POD so no constructors are called after allocation q->xact_id.change(); q->query_id = idnsQueryID(); - for (i = 0; i < strlen(name); ++i) + int nd = 0; + for (unsigned int i = 0; i < nameLength; ++i) if (name[i] == '.') ++nd; - if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') { + if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') { q->do_searchpath = 1; } else { q->do_searchpath = 0; diff -u -r -N squid-3.2.11/src/forward.cc squid-3.2.12/src/forward.cc --- squid-3.2.11/src/forward.cc 2013-04-30 16:47:06.000000000 +1200 +++ squid-3.2.12/src/forward.cc 2013-07-11 17:25:44.000000000 +1200 @@ -515,10 +515,7 @@ if (!entry->isEmpty()) return false; - if (n_tries > 10) - return false; - - if (origin_tries > 2) + if (n_tries > Config.forward_max_tries) return false; if (squid_curtime - start_t > Config.Timeout.forward) @@ -940,9 +937,6 @@ debugs(17, 3, HERE << "reusing pconn " << serverConnection()); ++n_tries; - if (!serverConnection()->getPeer()) - ++origin_tries; - comm_add_close_handler(serverConnection()->fd, fwdServerClosedWrapper, this); /* Update server side TOS and Netfilter mark on the connection. */ @@ -1131,9 +1125,6 @@ if (n_tries > Config.forward_max_tries) return 0; - if (origin_tries > 1) - return 0; - if (request->bodyNibbled()) return 0; diff -u -r -N squid-3.2.11/src/forward.h squid-3.2.12/src/forward.h --- squid-3.2.11/src/forward.h 2013-04-30 16:47:06.000000000 +1200 +++ squid-3.2.12/src/forward.h 2013-07-11 17:25:44.000000000 +1200 @@ -97,7 +97,6 @@ Comm::ConnectionPointer clientConn; ///< a possibly open connection to the client. time_t start_t; int n_tries; - int origin_tries; // AsyncCalls which we set and may need cancelling. struct { diff -u -r -N squid-3.2.11/src/helper.cc squid-3.2.12/src/helper.cc --- squid-3.2.11/src/helper.cc 2013-04-30 16:47:06.000000000 +1200 +++ squid-3.2.12/src/helper.cc 2013-07-11 17:25:44.000000000 +1200 @@ -38,6 +38,7 @@ #include "comm/Connection.h" #include "comm/Write.h" #include "helper.h" +#include "fde.h" #include "format/Quoting.h" #include "MemBuf.h" #include "SquidMath.h" @@ -750,7 +751,7 @@ safe_free(srv->requests); cbdataReferenceDone(srv->parent); - cbdataFree(srv); + delete srv; } static void @@ -812,7 +813,7 @@ cbdataReferenceDone(srv->parent); - cbdataFree(srv); + delete srv; } /// Calls back with a pointer to the buffer with the helper output @@ -920,7 +921,7 @@ helperReturnBuffer(i, srv, hlp, msg, t); } - if (Comm::IsConnOpen(srv->readPipe)) { + if (Comm::IsConnOpen(srv->readPipe) && !fd_table[srv->readPipe->fd].closing()) { int spaceSize = srv->rbuf_sz - srv->roffset - 1; assert(spaceSize >= 0); @@ -1021,7 +1022,7 @@ helperStatefulReleaseServer(srv); } - if (Comm::IsConnOpen(srv->readPipe)) { + if (Comm::IsConnOpen(srv->readPipe) && !fd_table[srv->readPipe->fd].closing()) { int spaceSize = srv->rbuf_sz - srv->roffset - 1; assert(spaceSize >= 0); diff -u -r -N squid-3.2.11/src/HttpHeader.cc squid-3.2.12/src/HttpHeader.cc --- squid-3.2.11/src/HttpHeader.cc 2013-04-30 16:47:06.000000000 +1200 +++ squid-3.2.12/src/HttpHeader.cc 2013-07-11 17:25:44.000000000 +1200 @@ -433,37 +433,37 @@ PROF_start(HttpHeaderClean); - /* - * An unfortunate bug. The entries array is initialized - * such that count is set to zero. httpHeaderClean() seems to - * be called both when 'hdr' is created, and destroyed. Thus, - * we accumulate a large number of zero counts for 'hdr' before - * it is ever used. Can't think of a good way to fix it, except - * adding a state variable that indicates whether or not 'hdr' - * has been used. As a hack, just never count zero-sized header - * arrays. - */ - if (owner <= hoReply) { + /* + * An unfortunate bug. The entries array is initialized + * such that count is set to zero. httpHeaderClean() seems to + * be called both when 'hdr' is created, and destroyed. Thus, + * we accumulate a large number of zero counts for 'hdr' before + * it is ever used. Can't think of a good way to fix it, except + * adding a state variable that indicates whether or not 'hdr' + * has been used. As a hack, just never count zero-sized header + * arrays. + */ if (0 != entries.count) HttpHeaderStats[owner].hdrUCountDistr.count(entries.count); ++ HttpHeaderStats[owner].destroyedCount; HttpHeaderStats[owner].busyDestroyedCount += entries.count > 0; + } // if (owner <= hoReply) - while ((e = getEntry(&pos))) { - /* tmp hack to try to avoid coredumps */ + while ((e = getEntry(&pos))) { + /* tmp hack to try to avoid coredumps */ - if (e->id < 0 || e->id >= HDR_ENUM_END) { - debugs(55, 0, "HttpHeader::clean BUG: entry[" << pos << "] is invalid (" << e->id << "). Ignored."); - } else { + if (e->id < 0 || e->id >= HDR_ENUM_END) { + debugs(55, DBG_CRITICAL, "HttpHeader::clean BUG: entry[" << pos << "] is invalid (" << e->id << "). Ignored."); + } else { + if (owner <= hoReply) HttpHeaderStats[owner].fieldTypeDistr.count(e->id); - /* yes, this deletion leaves us in an inconsistent state */ - delete e; - } + /* yes, this deletion leaves us in an inconsistent state */ + delete e; } - } // if (owner <= hoReply) + } entries.clean(); httpHeaderMaskInit(&mask, 0); len = 0;