------------------------------------------------------------ revno: 8965 revision-id: squid3@treenet.co.nz-20090202130556-4brjyrxrpd6ctxge parent: squid3@treenet.co.nz-20090202120042-72qzbpe5gdwts2wd committer: Amos Jeffries branch nick: SQUID_3_0 timestamp: Tue 2009-02-03 02:05:56 +1300 message: Fixup parsing of invalid version numbers ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20090202130556-4brjyrxrpd6ctxge # target_branch: http://www.squid-cache.org/bzr/squid3/branches\ # /SQUID_3_0/ # testament_sha1: 4868de7a37a3da580d79fabda9c24e17dad238d2 # timestamp: 2009-02-02 13:09:33 +0000 # source_branch: http://www.squid-cache.org/bzr/squid3/branches\ # /SQUID_3_0 # base_revision_id: squid3@treenet.co.nz-20090202120042-\ # 72qzbpe5gdwts2wd # # Begin patch === modified file 'src/HttpMsg.cc' --- src/HttpMsg.cc 2009-02-02 12:00:42 +0000 +++ src/HttpMsg.cc 2009-02-02 13:05:56 +0000 @@ -463,7 +463,7 @@ { int i = 0; int retcode = 0; - unsigned int maj = 0, min = 9; + unsigned int maj = 0, min = 0; int last_whitespace = -1, line_end = -1; debugs(74, 5, "httpParserParseReqLine: parsing " << hmsg->buf); @@ -568,10 +568,14 @@ /* next should be 1 or more digits */ maj = 0; - for (; i < hmsg->req_end && (isdigit(hmsg->buf[i])); i++) { + for (; i < hmsg->req_end && (isdigit(hmsg->buf[i])) && maj < 65536; i++) { maj = maj * 10; maj = maj + (hmsg->buf[i]) - '0'; } + if (maj >= 65536) { + retcode = -1; + goto finish; + } if (i >= hmsg->req_end) { retcode = 0; goto finish; @@ -590,10 +594,14 @@ /* next should be one or more digits */ i++; min = 0; - for (; i < hmsg->req_end && (isdigit(hmsg->buf[i])); i++) { + for (; i < hmsg->req_end && (isdigit(hmsg->buf[i])) && min < 65536; i++) { min = min * 10; min = min + (hmsg->buf[i]) - '0'; } + if (min >= 65536) { + retcode = -1; + goto finish; + } /* Find whitespace, end of version */ hmsg->v_end = i;