------------------------------------------------------------ revno: 12391 revision-id: squid3@treenet.co.nz-20121118113748-8h7tfoqqt3cvidba parent: squid3@treenet.co.nz-20121118113644-eu5asi2e0pwiwqh5 committer: Amos Jeffries branch nick: 3.3 timestamp: Sun 2012-11-18 04:37:48 -0700 message: basic_smb_auth: Buffer overrun. A reply string expanding to >8KB after shell escaping can cause the helper memory corruption or crash as output buffer is overrun. Detected by Coverity Scan. Issue 740411 ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20121118113748-8h7tfoqqt3cvidba # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # testament_sha1: 96d4169580f4cf9264404e210bc23778c120277a # timestamp: 2012-11-18 11:39:26 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # base_revision_id: squid3@treenet.co.nz-20121118113644-\ # eu5asi2e0pwiwqh5 # # Begin patch === modified file 'helpers/basic_auth/SMB/basic_smb_auth.cc' --- helpers/basic_auth/SMB/basic_smb_auth.cc 2012-08-28 13:00:30 +0000 +++ helpers/basic_auth/SMB/basic_smb_auth.cc 2012-11-18 11:37:48 +0000 @@ -82,7 +82,11 @@ int i = 0; for (t = s; *t != '\0'; ++t) { - if (i > HELPER_INPUT_BUFFER-2) { + /* + * NP: The shell escaping permits 'i' to jump up to 2 octets per loop, + * so ensure we have at least 3 free. + */ + if (i > HELPER_INPUT_BUFFER-3) { buf[i] = '\0'; (void) fputs(buf, p); i = 0;