------------------------------------------------------------ revno: 12416 revision-id: squid3@treenet.co.nz-20121129102658-rpag7hg7fjhuxdoa parent: squid3@treenet.co.nz-20121125050242-x3s3y3bgkul9k25z committer: Amos Jeffries branch nick: 3.3 timestamp: Thu 2012-11-29 03:26:58 -0700 message: Fix several buffer termination bugs * strcpy() replaced in several places with strncpy() to ensure destination buffers are not overflowed. * strncpy() does not nul-terminate the destination when the string being copied in exactly fills the buffer. Ensure we have terminated strings where it may matter. Detected by Coverity Scan. Issues 740309, 740310, 740311, 740481, 740483 ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20121129102658-rpag7hg7fjhuxdoa # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # testament_sha1: 9bd010a63225ebd27efe0e584d89849dec86a167 # timestamp: 2012-11-29 10:40:11 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # base_revision_id: squid3@treenet.co.nz-20121125050242-\ # x3s3y3bgkul9k25z # # Begin patch === modified file 'src/AccessLogEntry.cc' --- src/AccessLogEntry.cc 2012-09-04 09:10:20 +0000 +++ src/AccessLogEntry.cc 2012-11-29 10:26:58 +0000 @@ -22,7 +22,7 @@ if (tcpClient != NULL) tcpClient->remote.NtoA(buf, bufsz); else if (cache.caddr.IsNoAddr()) // e.g., ICAP OPTIONS lack client - strncpy(buf, "-", 1); + strncpy(buf, "-", bufsz); else cache.caddr.NtoA(buf, bufsz); } === modified file 'src/dns_internal.cc' --- src/dns_internal.cc 2012-09-04 09:10:20 +0000 +++ src/dns_internal.cc 2012-11-29 10:26:58 +0000 @@ -334,7 +334,8 @@ } assert(npc < npc_alloc); - strcpy(searchpath[npc].domain, buf); + strncpy(searchpath[npc].domain, buf, sizeof(searchpath[npc].domain)-1); + searchpath[npc].domain[sizeof(searchpath[npc].domain)-1] = '\0'; Tolower(searchpath[npc].domain); debugs(78, 3, "idnsAddPathComponent: Added domain #" << npc << ": " << searchpath[npc].domain); ++npc; === modified file 'src/neighbors.cc' --- src/neighbors.cc 2012-09-22 13:26:23 +0000 +++ src/neighbors.cc 2012-11-29 10:26:58 +0000 @@ -846,7 +846,7 @@ { #if USE_CACHE_DIGESTS if (p) - strncpy(request->hier.cd_host, p->host, sizeof(request->hier.cd_host)); + strncpy(request->hier.cd_host, p->host, sizeof(request->hier.cd_host)-1); else *request->hier.cd_host = '\0'; === modified file 'src/tools.cc' --- src/tools.cc 2012-11-24 03:51:51 +0000 +++ src/tools.cc 2012-11-29 10:26:58 +0000 @@ -1135,8 +1135,9 @@ /* For IPV6 addresses also check for a colon */ if (Config.appendDomain && !strchr(lt, '.') && !strchr(lt, ':')) { /* I know it's ugly, but it's only at reconfig */ - strncpy(buf2, lt, 512); - strncat(buf2, Config.appendDomain, 512 - strlen(lt) - 1); + strncpy(buf2, lt, sizeof(buf2)-1); + strncat(buf2, Config.appendDomain, sizeof(buf2) - strlen(lt) - 1); + buf2[sizeof(buf2)-1] = '\0'; host = buf2; } else { host = lt; === modified file 'src/url.cc' --- src/url.cc 2012-10-16 23:40:01 +0000 +++ src/url.cc 2012-11-29 10:26:58 +0000 @@ -313,10 +313,12 @@ /* Is there any login information? (we should eventually parse it above) */ t = strrchr(host, '@'); if (t != NULL) { - strcpy((char *) login, (char *) host); + strncpy((char *) login, (char *) host, sizeof(login)-1); + login[sizeof(login)-1] = '\0'; t = strrchr(login, '@'); *t = 0; - strcpy((char *) host, t + 1); + strncpy((char *) host, t + 1, sizeof(host)-1); + host[sizeof(host)-1] = '\0'; } /* Is there any host information? (we should eventually parse it above) */ === modified file 'src/wccp2.cc' --- src/wccp2.cc 2012-08-31 16:57:39 +0000 +++ src/wccp2.cc 2012-11-29 10:26:58 +0000 @@ -605,7 +605,7 @@ SquidMD5Init(&M); - SquidMD5Update(&M, pwd, 8); + SquidMD5Update(&M, pwd, sizeof(pwd)); SquidMD5Update(&M, packet, len); @@ -650,7 +650,6 @@ /* The password field, for the MD5 hash, needs to be 8 bytes and NUL padded. */ memset(pwd, 0, sizeof(pwd)); - strncpy(pwd, srv->wccp_password, sizeof(pwd)); /* Take a copy of the challenge: we need to NUL it before comparing */ @@ -660,7 +659,7 @@ SquidMD5Init(&M); - SquidMD5Update(&M, pwd, 8); + SquidMD5Update(&M, pwd, sizeof(pwd)); SquidMD5Update(&M, packet, len);