In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses.

Date: 2022-04-18 13:42:36 +0000 Improve handling of Gopher responses (#1022) diff --git a/src/gopher.cc b/src/gopher.cc index c4d1aeaad..6a77d9aaf 100644 --- a/src/gopher.cc +++ b/src/gopher.cc @@ -365,7 +365,6 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len) char \*lpos = NULL; char \*tline = NULL; LOCAL\_ARRAY(char, line, TEMP\_BUF\_SIZE); - LOCAL\_ARRAY(char, tmpbuf, TEMP\_BUF\_SIZE); char \*name = NULL; char \*selector = NULL; char \*host = NULL; @@ -375,7 +374,6 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len) char gtype; StoreEntry \*entry = NULL; - memset(tmpbuf, '\\0', TEMP\_BUF\_SIZE); memset(line, '\\0', TEMP\_BUF\_SIZE); entry = gopherState->entry; @@ -410,7 +408,7 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len) return; } - String outbuf; + SBuf outbuf; if (!gopherState->HTML\_header\_added) { if (gopherState->conversion == GopherStateData::HTML\_CSO\_RESULT) @@ -582,37 +580,34 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len) break; } - memset(tmpbuf, '\\0', TEMP\_BUF\_SIZE); - if ((gtype == GOPHER\_TELNET) || (gtype == GOPHER\_3270)) { if (strlen(escaped\_selector) != 0) - snprintf(tmpbuf, TEMP\_BUF\_SIZE, " %s\\n", - icon\_url, escaped\_selector, rfc1738\_escape\_part(host), - \*port ? ":" : "", port, html\_quote(name)); + outbuf.appendf(" %s\\n", + icon\_url, escaped\_selector, rfc1738\_escape\_part(host), + \*port ? ":" : "", port, html\_quote(name)); else - snprintf(tmpbuf, TEMP\_BUF\_SIZE, " %s\\n", - icon\_url, rfc1738\_escape\_part(host), \*port ? ":" : "", - port, html\_quote(name)); + outbuf.appendf(" %s\\n", + icon\_url, rfc1738\_escape\_part(host), \*port ? ":" : "", + port, html\_quote(name)); } else if (gtype == GOPHER\_INFO) { - snprintf(tmpbuf, TEMP\_BUF\_SIZE, "\\t%s\\n", html\_quote(name)); + outbuf.appendf("\\t%s\\n", html\_quote(name)); } else { if (strncmp(selector, "GET /", 5) == 0) { /\* WWW link \*/ - snprintf(tmpbuf, TEMP\_BUF\_SIZE, " %s\\n", - icon\_url, host, rfc1738\_escape\_unescaped(selector + 5), html\_quote(name)); + outbuf.appendf(" %s\\n", + icon\_url, host, rfc1738\_escape\_unescaped(selector + 5), html\_quote(name)); } else if (gtype == GOPHER\_WWW) { - snprintf(tmpbuf, TEMP\_BUF\_SIZE, " %s\\n", - icon\_url, rfc1738\_escape\_unescaped(selector), html\_quote(name)); + outbuf.appendf(" %s\\n", + icon\_url, rfc1738\_escape\_unescaped(selector), html\_quote(name)); } else { /\* Standard link \*/ - snprintf(tmpbuf, TEMP\_BUF\_SIZE, " %s\\n", - icon\_url, host, gtype, escaped\_selector, html\_quote(name)); + outbuf.appendf(" %s\\n", + icon\_url, host, gtype, escaped\_selector, html\_quote(name)); } } safe\_free(escaped\_selector); - outbuf.append(tmpbuf); } else { memset(line, '\\0', TEMP\_BUF\_SIZE); continue; @@ -645,13 +640,12 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len) break; if (gopherState->cso\_recno != recno) { - snprintf(tmpbuf, TEMP\_BUF\_SIZE, "

**Record# %d  
_%s_**\\n

", recno, html\_quote(result));
+                    outbuf.appendf("

**Record# %d  
_%s_**\\n

", recno, html\_quote(result));
                     gopherState->cso\_recno = recno;
                 } else {
-                    snprintf(tmpbuf, TEMP\_BUF\_SIZE, "%s\\n", html\_quote(result));
+                    outbuf.appendf("%s\\n", html\_quote(result));
                 }
 
-                outbuf.append(tmpbuf);
                 break;
             } else {
                 int code;
@@ -679,8 +673,7 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len)
 
                 case 502: { /\* Too Many Matches \*/
                     /\* Print the message the server returns \*/
-                    snprintf(tmpbuf, TEMP\_BUF\_SIZE, "

**%s**\\n

", html\_quote(result));
-                    outbuf.append(tmpbuf);
+                    outbuf.appendf("

**%s**\\n

", html\_quote(result));
                     break;
                 }
 
@@ -696,13 +689,12 @@ gopherToHTML(GopherStateData \* gopherState, char \*inbuf, int len)
 
     }               /\* while loop \*/
 
-    if (outbuf.size() > 0) {
-        entry->append(outbuf.rawBuf(), outbuf.size());
+    if (outbuf.length() > 0) {
+        entry->append(outbuf.rawContent(), outbuf.length());
         /\* now let start sending stuff to client \*/
         entry->flush();
     }
 
-    outbuf.clean();
     return;
 }

CVE-2021-46784

Pexip Infinity before 27.3 allows remote attackers to force a software abort via HTTP.

CVE-2022-26654: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.2 has Improper Access Control. An attacker can sometimes join a conference (call join) if it has a lock but not a PIN.

CVE-2022-25357: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via HTTP.

CVE-2022-27929: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via Epic Telehealth.

CVE-2022-27935: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.

CVE-2022-27928: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via HTTP.

CVE-2022-27934: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via H.323.

CVE-2022-27936: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.

CVE-2022-27932: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort, and possibly enumerate usernames, via One Touch Join.

Tag

#dos