-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/05/2013 01:53 PM, tytusromekiatomek@xxxxxxxxxxxx wrote: > ################################################################ # > DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc # > ################################################################ # > # Authors: # # 22733db72ab3ed94b5f8a1ffcde850251fe6f466 # > c8e74ebd8392fda4788179f9a02bb49337638e7b # AKAT-1 # > ####################################### > > # Versions: 3.2.5, 3.2.7 > > > This error is only triggered when squid needs to generate an error > page (for example backend node is not responding etc...) POC > (request): -- cut -- GET http://127.0.0.1:1/foo HTTP/1.1 > Accept-Language: , -- cut -- > > e.g : curl -H "Accept-Language: ," http://localhost:3129/ > > Code: > > strHdrAcptLangGetItem is called with pos equals 0, therefore first > branch in if (316 line) is taken, because xisspace(hdr[pos]) is > false, then pos++ is not executed (because hdr[0] is ','). In 335 > line statement in while is also false because hdr[0] = ',', so > whole loop body is omited. dt = lang, thus after assignment in 353 > line *lang == '\0', so expression in if statement in 357 line is > false. So next execution of while body (314 line), has got same > preconditions as previous, thus it's infinite loop. Was this reported upstream to squid-bugs@xxxxxxxxxxxxxxx? Has anyone confirmed this, and if so, does it require a CVE #? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJROQF3AAoJEBYNRVNeJnmTq5oQANtdEmCVhIbR9RppkKuPsIP0 QW+sMJYIunEdUchS+p8IRQiN3IrD8ySDuyWeOSTW6riYopH1XhV1RMY67+JJ63kg vR7Toh5GFTjKmd6HvrN7FX7yZ5UyupClX1WhBk2s8GTIhYckDCykvWePJwei2cT3 fRYc72jSsEoqKP5CTS9YK91Ap0FZRGDREt/V6yZwGkYAVh6j89XC5j95VPzNCigQ QQquLNr0AaRQC2E/Ofa++GW8GHf1yGMOQ49ypEKr1n7CrY3uZD2/Gp968GPZx+DJ /31KyBAW5v2e1cTIOMgan+mVR8PDHcWSKFQu3bRpd4JaeNkYWHsd66w2tclL8r6Q N09+GJFiEdE9ycsHMHMyz8DcCtzLo6BnrP9NTHYzd5Q2CyNpNS0RnAVsFU0Bj2VX WLA7JhcM0+5+UJvn9dIuNSaB7xVusKi5Q4YCP33FFULsDczKs5tFBrvrvEn3h9// gol31UVSMpB00Bh5ijWifLmrRXJ9+RodxZUZ4PfmmllPA30iuoTqb0yhmVv314GG 5/T/PnsMYEAWSrsaqdcfWiWNLGyx/lqovrXofszratY7Urphp0OJNueN9Et7IPkZ E42eXZt3x3FfJzFNA2WgXIW13aTQ+iRdAqMip+jmylfMr6JtABevu+V1JXvZkcHY 8E7GKbUGP4HexDIWiA0a =tSGC -----END PGP SIGNATURE-----
