Headline
CVE-2021-46784
In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses.
Date: 2022-04-18 13:42:36 +0000 Improve handling of Gopher responses (#1022) diff --git a/src/gopher.cc b/src/gopher.cc index c4d1aeaad…6a77d9aaf 100644 — a/src/gopher.cc +++ b/src/gopher.cc @@ -365,7 +365,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) char *lpos = NULL; char *tline = NULL; LOCAL_ARRAY(char, line, TEMP_BUF_SIZE); - LOCAL_ARRAY(char, tmpbuf, TEMP_BUF_SIZE); char *name = NULL; char *selector = NULL; char *host = NULL; @@ -375,7 +374,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) char gtype; StoreEntry *entry = NULL; - memset(tmpbuf, '\0’, TEMP_BUF_SIZE); memset(line, '\0’, TEMP_BUF_SIZE); entry = gopherState->entry; @@ -410,7 +408,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) return; } - String outbuf; + SBuf outbuf; if (!gopherState->HTML_header_added) { if (gopherState->conversion == GopherStateData::HTML_CSO_RESULT) @@ -582,37 +580,34 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) break; } - memset(tmpbuf, '\0’, TEMP_BUF_SIZE); - if ((gtype == GOPHER_TELNET) || (gtype == GOPHER_3270)) { if (strlen(escaped_selector) != 0) - snprintf(tmpbuf, TEMP_BUF_SIZE, " %s\n", - icon_url, escaped_selector, rfc1738_escape_part(host), - *port ? “:” : "", port, html_quote(name)); + outbuf.appendf(" %s\n", + icon_url, escaped_selector, rfc1738_escape_part(host), + *port ? “:” : "", port, html_quote(name)); else - snprintf(tmpbuf, TEMP_BUF_SIZE, " %s\n", - icon_url, rfc1738_escape_part(host), *port ? “:” : "", - port, html_quote(name)); + outbuf.appendf(" %s\n", + icon_url, rfc1738_escape_part(host), *port ? “:” : "", + port, html_quote(name)); } else if (gtype == GOPHER_INFO) { - snprintf(tmpbuf, TEMP_BUF_SIZE, "\t%s\n", html_quote(name)); + outbuf.appendf("\t%s\n", html_quote(name)); } else { if (strncmp(selector, "GET /", 5) == 0) { /* WWW link */ - snprintf(tmpbuf, TEMP_BUF_SIZE, " %s\n", - icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name)); + outbuf.appendf(" %s\n", + icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name)); } else if (gtype == GOPHER_WWW) { - snprintf(tmpbuf, TEMP_BUF_SIZE, " %s\n", - icon_url, rfc1738_escape_unescaped(selector), html_quote(name)); + outbuf.appendf(" %s\n", + icon_url, rfc1738_escape_unescaped(selector), html_quote(name)); } else { /* Standard link */ - snprintf(tmpbuf, TEMP_BUF_SIZE, " %s\n", - icon_url, host, gtype, escaped_selector, html_quote(name)); + outbuf.appendf(" %s\n", + icon_url, host, gtype, escaped_selector, html_quote(name)); } } safe_free(escaped_selector); - outbuf.append(tmpbuf); } else { memset(line, '\0’, TEMP_BUF_SIZE); continue; @@ -645,13 +640,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) break; if (gopherState->cso_recno != recno) { - snprintf(tmpbuf, TEMP_BUF_SIZE, "
Record# %d
%s\n
", recno, html_quote(result));
outbuf.appendf("
Record# %d
%s\n
", recno, html_quote(result)); gopherState->cso_recno = recno; } else {
snprintf(tmpbuf, TEMP\_BUF\_SIZE, "%s\\n", html\_quote(result));
outbuf.appendf("%s\\n", html\_quote(result)); }
outbuf.append(tmpbuf); break; } else { int code;
@@ -679,8 +673,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
case 502: { /\* Too Many Matches \*/
/\* Print the message the server returns \*/
snprintf(tmpbuf, TEMP\_BUF\_SIZE, "
%s\n
", html_quote(result));
outbuf.append(tmpbuf);
outbuf.appendf("
%s\n
", html_quote(result)); break; }
@@ -696,13 +689,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
} /\* while loop \*/
- if (outbuf.size() > 0) {
entry->append(outbuf.rawBuf(), outbuf.size());
- if (outbuf.length() > 0) {
}entry->append(outbuf.rawContent(), outbuf.length()); /\* now let start sending stuff to client \*/ entry->flush();
- outbuf.clean(); return; }
Related news
Red Hat Security Advisory 2022-6252-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 3.11.784. Issues addressed include a bypass vulnerability.
Red Hat OpenShift Container Platform release 3.11.784 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-39226: grafana: Snapshot authentication bypass
Red Hat Security Advisory 2022-5526-01 - Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-5542-01 - Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Issues addressed include a denial of service vulnerability.
An update for squid is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46784: squid: DoS when processing gopher server responses
An update for the squid:4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46784: squid: DoS when processing gopher server responses
An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46784: squid: DoS when processing gopher server responses
An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46784: squid: DoS when processing gopher server responses
An update for squid is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46784: squid: DoS when processing gopher server responses
An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46784: squid: DoS when processing gopher server responses
Ubuntu Security Notice 5491-1 - Joshua Rogers discovered that Squid incorrectly handled the Gopher protocol. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service.