Package: squid3 / 3.4.8-6+deb8u5

42-SQUID-2016_9-CVE-2016-4555-CVE-2016-4556.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
Origin: upstream, http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch

------------------------------------------------------------
revno: 13237
revision-id: squid3@treenet.co.nz-20160506091244-3td2be9qbzsajxg8
parent: squid3@treenet.co.nz-20160502034253-axee4hqa4wuhlpkg
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4455
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.4
timestamp: Fri 2016-05-06 21:12:44 +1200
message:
  Bug 4455: SegFault from ESIInclude::Start
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20160506091244-3td2be9qbzsajxg8
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
# testament_sha1: b9714bc153e5fd6e8fe505a6c1d8a54c88e03a77
# timestamp: 2016-05-06 09:48:43 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
# base_revision_id: squid3@treenet.co.nz-20160502034253-\
#   axee4hqa4wuhlpkg
# 
# Begin patch
=== modified file 'src/client_side_request.cc'
--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
@@ -163,13 +163,15 @@
     start_time = current_time;
     setConn(aConn);
     al = new AccessLogEntry;
-    al->tcpClient = clientConnection = aConn->clientConnection;
+    if (aConn) {
+        al->tcpClient = clientConnection = aConn->clientConnection;
 #if USE_SSL
-    if (aConn->clientConnection != NULL && aConn->clientConnection->isOpen()) {
-        if (SSL *ssl = fd_table[aConn->clientConnection->fd].ssl)
-            al->cache.sslClientCert.reset(SSL_get_peer_certificate(ssl));
-    }
+        if (aConn->clientConnection != NULL && aConn->clientConnection->isOpen()) {
+            if (SSL *ssl = fd_table[aConn->clientConnection->fd].ssl)
+                al->cache.sslClientCert.reset(SSL_get_peer_certificate(ssl));
+        }
 #endif
+    }
     dlinkAdd(this, &active, &ClientActiveRequests);
 #if USE_ADAPTATION
     request_satisfaction_mode = false;
--- a/src/esi/Context.h
+++ b/src/esi/Context.h
@@ -36,6 +36,7 @@
 #include "esi/Element.h"
 #include "clientStream.h"
 #include "err_type.h"
+#include "HttpReply.h"
 #include "http/StatusCode.h"
 
 class ESIVarState;
@@ -114,7 +115,7 @@
     err_type errorpage; /* if we error what page to use */
     Http::StatusCode errorstatus; /* if we error, what code to return */
     char *errormessage; /* error to pass to error page */
-    HttpReply *rep; /* buffered until we pass data downstream */
+    HttpReply::Pointer rep; /* buffered until we pass data downstream */
     ESISegment::Pointer buffered; /* unprocessed data - for whatever reason */
     ESISegment::Pointer incoming;
     /* processed data we are waiting to send, or for
--- a/src/esi/Esi.cc
+++ b/src/esi/Esi.cc
@@ -598,7 +598,7 @@
 
 #endif
 
-    if (!(rep || (outbound.getRaw() &&
+    if (!(rep != NULL || (outbound.getRaw() &&
                   outbound->len && (outbound_offset <= outbound->len)))) {
         debugs(86, 5, "ESIContext::send: Nothing to send.");
         return 0;
@@ -643,18 +643,18 @@
     flags.clientwantsdata = 0;
     debugs(86, 5, "ESIContext::send: this=" << this << " Client no longer wants data ");
     /* Deal with re-entrancy */
-    HttpReply *temprep = rep;
+    HttpReply::Pointer temprep = rep;
     rep = NULL; /* freed downstream */
 
-    if (temprep && varState)
-        varState->buildVary (temprep);
+    if (temprep != NULL && varState)
+        varState->buildVary(temprep.getRaw());
 
     {
         StoreIOBuffer tempBuffer;
         tempBuffer.length = len;
         tempBuffer.offset = pos - len;
         tempBuffer.data = next->readBuffer.data;
-        clientStreamCallback (thisNode, http, temprep, tempBuffer);
+        clientStreamCallback (thisNode, http, temprep.getRaw(), tempBuffer);
     }
 
     if (len == 0)
@@ -1284,7 +1284,7 @@
         ++parserState.stackdepth;
     }
 
-    if (rep && !parserState.inited())
+    if (rep != NULL && !parserState.inited())
         parserState.init(this);
 
     /* we have data */
@@ -1423,7 +1423,7 @@
 {
     debugs(86, 5, HERE << "Freeing for this=" << this);
 
-    HTTPMSGUNLOCK(rep);
+    rep = NULL; // refcounted
 
     finishChildren ();