------------------------------------------------------------
revno: 11719
revision-id: squid3@treenet.co.nz-20121130110455-q32hvtw0425j3mix
parent: squid3@treenet.co.nz-20121129112058-qjxrxlrh2pp6lk5s
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.2
timestamp: Fri 2012-11-30 04:04:55 -0700
message:
  basic_smb_auth: Buffer overrun.
  
  A reply string expanding to >8KB after shell escaping can cause the helper
  memory corruption or crash as output buffer is overrun.
  
   Detected by Coverity Scan. Issue 740411
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20121130110455-q32hvtw0425j3mix
# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
#   /SQUID_3_2
# testament_sha1: a999e20403d03f31ca28fc71d5eaee2d4f1137b5
# timestamp: 2012-11-30 11:06:39 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
#   /SQUID_3_2
# base_revision_id: squid3@treenet.co.nz-20121129112058-\
#   qjxrxlrh2pp6lk5s
# 
# Begin patch
=== modified file 'helpers/basic_auth/SMB/basic_smb_auth.cc'
--- helpers/basic_auth/SMB/basic_smb_auth.cc	2012-07-28 05:38:50 +0000
+++ helpers/basic_auth/SMB/basic_smb_auth.cc	2012-11-30 11:04:55 +0000
@@ -82,8 +82,12 @@
     char *t;
     int i = 0;
 
-    for (t = s; *t != '\0'; t++) {
-        if (i > HELPER_INPUT_BUFFER-2) {
+    for (t = s; *t != '\0'; ++t) {
+        /*
+         * NP: The shell escaping permits 'i' to jump up to 2 octets per loop,
+         *     so ensure we have at least 3 free.
+         */
+        if (i > HELPER_INPUT_BUFFER-3) {
             buf[i] = '\0';
             (void) fputs(buf, p);
             i = 0;