main/squid/CVE-2014-3609.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

------------------------------------------------------------
revno: 11828
revision-id: squid3@treenet.co.nz-20140827143622-aj6y1q5khr7txsa7
parent: squid3@treenet.co.nz-20130713132208-e91nzzf0usz2ytp6
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.2
timestamp: Wed 2014-08-27 08:36:22 -0600
message:
  Ignore Range headers with unidentifiable byte-range values
  
  If squid is unable to determine the byte value for ranges, treat the
  header as invalid.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20140827143622-aj6y1q5khr7txsa7
# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
#   /SQUID_3_2
# testament_sha1: befb9d196a5292711a18d9503d5c50a60f1fa66a
# timestamp: 2014-08-27 14:36:44 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
#   /SQUID_3_2
# base_revision_id: squid3@treenet.co.nz-20130713132208-\
#   e91nzzf0usz2ytp6
# 
# Begin patch
=== modified file 'src/HttpHdrRange.cc'
--- a/src/HttpHdrRange.cc	2012-07-28 05:38:50 +0000
+++ b/src/HttpHdrRange.cc	2014-08-27 14:36:22 +0000
@@ -93,7 +93,7 @@
 
     /* is it a suffix-byte-range-spec ? */
     if (*field == '-') {
-        if (!httpHeaderParseOffset(field + 1, &length))
+        if (!httpHeaderParseOffset(field + 1, &length) || !known_spec(length))
             return false;
     } else
         /* must have a '-' somewhere in _this_ field */
@@ -101,7 +101,7 @@
             debugs(64, 2, "invalid (missing '-') range-spec near: '" << field << "'");
             return false;
         } else {
-            if (!httpHeaderParseOffset(field, &offset))
+            if (!httpHeaderParseOffset(field, &offset) || !known_spec(offset))
                 return false;
 
             ++p;
@@ -110,7 +110,7 @@
             if (p - field < flen) {
                 int64_t last_pos;
 
-                if (!httpHeaderParseOffset(p, &last_pos))
+                if (!httpHeaderParseOffset(p, &last_pos) || !known_spec(last_pos))
                     return false;
 
                 // RFC 2616 s14.35.1 MUST: last-byte-pos >= first-byte-pos