203568450c
feature (CVE-2023-49285) Resolves: RHEL-18345 - squid: Incorrect Check of Function Return Value In Helper Process management (CVE-2023-49286) Resolves: RHEL-18146 - squid crashes in assertion when a parent peer exists Resolves: RHEL-18231 - squid: Denial of Service in SSL Certificate validation (CVE-2023-46724) Resolves: RHEL-15912 - squid: NULL pointer dereference in the gopher protocol code (CVE-2023-46728)
31 lines
871 B
Diff
31 lines
871 B
Diff
commit 77b3fb4df0f126784d5fd4967c28ed40eb8d521b
|
|
Author: Alex Rousskov <rousskov@measurement-factory.com>
|
|
Date: Wed Oct 25 19:41:45 2023 +0000
|
|
|
|
RFC 1123: Fix date parsing (#1538)
|
|
|
|
The bug was discovered and detailed by Joshua Rogers at
|
|
https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html
|
|
where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time
|
|
Handling".
|
|
|
|
diff --git a/lib/rfc1123.c b/lib/rfc1123.c
|
|
index e5bf9a4d7..cb484cc00 100644
|
|
--- a/lib/rfc1123.c
|
|
+++ b/lib/rfc1123.c
|
|
@@ -50,7 +50,13 @@ make_month(const char *s)
|
|
char month[3];
|
|
|
|
month[0] = xtoupper(*s);
|
|
+ if (!month[0])
|
|
+ return -1; // protects *(s + 1) below
|
|
+
|
|
month[1] = xtolower(*(s + 1));
|
|
+ if (!month[1])
|
|
+ return -1; // protects *(s + 2) below
|
|
+
|
|
month[2] = xtolower(*(s + 2));
|
|
|
|
for (i = 0; i < 12; i++)
|
|
|