diff --git a/SOURCES/squid-4.15-fatal-read-data-from-mem.patch b/SOURCES/squid-4.15-fatal-read-data-from-mem.patch new file mode 100644 index 0000000..401703b --- /dev/null +++ b/SOURCES/squid-4.15-fatal-read-data-from-mem.patch @@ -0,0 +1,48 @@ +From 6c29ec591b1c777fc9a66f810f0ce5bc5076bc40 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Tue, 14 Nov 2023 18:40:37 +0000 +Subject: [PATCH] Bug 5317: FATAL attempt to read data from memory (#1579) + + FATAL: Squid has attempted to read data ... that is not present. + +Recent commit 122a6e3 attempted to deliver in-memory response body bytes +to a Store-reading client that requested (at least) response headers. +That optimization relied on the old canReadFromMemory() logic, but that +logic results in false positives when the checked read offset falls into +a gap between stored headers and the first body byte of a Content-Range. +In that case, a false positive leads to a readFromMemory() call and a +FATAL mem_hdr::copy() error. + +This workaround disables the above optimization without fixing +canReadFromMemory(). We believe that a readFromMemory() call that comes +right after response headers are delivered to the Store-reading client +will not suffer from the same problem because the client will supply the +read offset of the first body byte, eliminating the false positive. +--- + src/store_client.cc | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/store_client.cc b/src/store_client.cc +index a5f2440..b09f78a 100644 +--- a/src/store_client.cc ++++ b/src/store_client.cc +@@ -355,8 +355,9 @@ store_client::doCopy(StoreEntry *anEntry) + return; // failure + } + +- // send any immediately available body bytes even if we also sendHttpHeaders +- if (canReadFromMemory()) { ++ // Send any immediately available body bytes unless we sendHttpHeaders. ++ // TODO: Send those body bytes when we sendHttpHeaders as well. ++ if (!sendHttpHeaders && canReadFromMemory()) { + readFromMemory(); + noteNews(); // will sendHttpHeaders (if needed) as well + flags.store_copying = false; +@@ -442,6 +443,7 @@ store_client::canReadFromMemory() const + { + const auto &mem = entry->mem(); + const auto memReadOffset = nextHttpReadOffset(); ++ // XXX: This (lo <= offset < end) logic does not support Content-Range gaps. + return mem.inmem_lo <= memReadOffset && memReadOffset < mem.endOffset() && + parsingBuffer.first.spaceSize(); + } diff --git a/SPECS/squid.spec b/SPECS/squid.spec index 6b54bc0..325aefe 100644 --- a/SPECS/squid.spec +++ b/SPECS/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 4.15 -Release: 10%{?dist}.5 +Release: 10%{?dist}.6 Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -42,6 +42,8 @@ Patch209: squid-4.15-ftp-filename-extraction.patch Patch210: squid-4.15-halfclosed.patch # https://issues.redhat.com/browse/RHEL-66120 Patch211: squid-4.15-dns-obey-ttl-set-to-zero.patch +# https://issues.redhat.com/browse/RHEL-57030 +Patch212: squid-4.15-fatal-read-data-from-mem.patch # Security fixes # https://bugzilla.redhat.com/show_bug.cgi?id=1941506 @@ -155,6 +157,9 @@ lookup program (dnsserver), a program for retrieving FTP data %patch313 -p1 -b .ignore-wsp-chunk-sz %patch314 -p1 -b .CVE-2024-23638 +# patch305 follow-up +%patch212 -p1 -b .fatal-read-data-from-mem + # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented|' src/squid.8.in @@ -370,6 +375,10 @@ fi %changelog +* Wed Mar 26 2025 Luboš Uhliarik - 7:4.15-10.6 +- Resolves: RHEL-84420 - A squid child process causes a memory reference error + and the squid service terminates abnormally + * Fri Nov 22 2024 Luboš Uhliarik - 7:4.15-10.5 - Resolves: RHEL-66120 - squid caches DNS entries despite having TTL set to 0