1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
------------------------------------------------------------
revno: 13235
revision-id: squid3@treenet.co.nz-20160420111514-4hpxglbn9k15l5sa
parent: squid3@treenet.co.nz-20160420101437-36eofkldxfku61kj
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.4
timestamp: Wed 2016-04-20 23:15:14 +1200
message:
Fix several ESI element construction issues
* Do not wrap active logic in assert().
* Fix localbuf array bounds checking.
* Add Must() conditions to verify array writes will succeed
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20160420111514-4hpxglbn9k15l5sa
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
# testament_sha1: e95687b13c98667ab09966e7f94d511ca3e6ad96
# timestamp: 2016-04-20 11:18:22 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
# base_revision_id: squid3@treenet.co.nz-20160420101437-\
# 36eofkldxfku61kj
#
# Begin patch
=== modified file 'src/esi/Esi.cc'
--- a/src/esi/Esi.cc 2013-06-27 15:58:46 +0000
+++ b/src/esi/Esi.cc 2016-04-20 11:15:14 +0000
@@ -991,7 +991,7 @@
ESIElement::Pointer element;
int specifiedattcount = attrCount * 2;
char *position;
- assert (ellen < sizeof (localbuf)); /* prevent unexpected overruns. */
+ Must(ellen < sizeof(localbuf)); /* prevent unexpected overruns. */
debugs(86, 5, "ESIContext::Start: element '" << el << "' with " << specifiedattcount << " tags");
@@ -1005,15 +1005,17 @@
/* Spit out elements we aren't interested in */
localbuf[0] = '<';
localbuf[1] = '\0';
- assert (xstrncpy (&localbuf[1], el, sizeof(localbuf) - 2));
+ xstrncpy(&localbuf[1], el, sizeof(localbuf) - 2);
position = localbuf + strlen (localbuf);
for (i = 0; i < specifiedattcount && attr[i]; i += 2) {
+ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 1);
*position = ' ';
++position;
/* TODO: handle thisNode gracefully */
- assert (xstrncpy (position, attr[i], sizeof(localbuf) + (position - localbuf)));
+ xstrncpy(position, attr[i], sizeof(localbuf) - (position - localbuf));
position += strlen (position);
+ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 2);
*position = '=';
++position;
*position = '\"';
@@ -1022,18 +1024,21 @@
char ch;
while ((ch = *chPtr++) != '\0') {
if (ch == '\"') {
- assert( xstrncpy(position, """, sizeof(localbuf) + (position-localbuf)) );
+ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 6);
+ xstrncpy(position, """, sizeof(localbuf) - (position-localbuf));
position += 6;
} else {
+ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 1);
*position = ch;
++position;
}
}
- position += strlen (position);
+ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 1);
*position = '\"';
++position;
}
+ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 2);
*position = '>';
++position;
*position = '\0';
@@ -1119,11 +1124,11 @@
switch (ESIElement::IdentifyElement (el)) {
case ESIElement::ESI_ELEMENT_NONE:
- assert (ellen < sizeof (localbuf)); /* prevent unexpected overruns. */
+ Must(ellen < sizeof(localbuf) - 3); /* prevent unexpected overruns. */
/* Add elements we aren't interested in */
localbuf[0] = '<';
localbuf[1] = '/';
- assert (xstrncpy (&localbuf[2], el, sizeof(localbuf) - 3));
+ xstrncpy(&localbuf[2], el, sizeof(localbuf) - 3);
position = localbuf + strlen (localbuf);
*position = '>';
++position;
|
