Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/05/2013 01:53 PM, tytusromekiatomek@xxxxxxxxxxxx wrote:
> ################################################################ #
> DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc # 
> ################################################################ # 
> # Authors: # # 22733db72ab3ed94b5f8a1ffcde850251fe6f466 #
> c8e74ebd8392fda4788179f9a02bb49337638e7b # AKAT-1 # 
> #######################################
> 
> # Versions: 3.2.5, 3.2.7
> 
> 
> This error is only triggered when squid needs to generate an error
> page (for example backend node is not responding etc...) POC
> (request): -- cut -- GET http://127.0.0.1:1/foo HTTP/1.1 
> Accept-Language: , -- cut --
> 
> e.g : curl -H "Accept-Language: ," http://localhost:3129/
> 
> Code:
> 
> strHdrAcptLangGetItem is called with pos equals 0, therefore first
> branch in if (316 line) is taken, because xisspace(hdr[pos]) is
> false, then pos++ is not executed (because hdr[0] is ','). In 335
> line statement in while is also false because hdr[0] = ',', so
> whole loop body is omited. dt = lang, thus after assignment in 353
> line *lang == '\0', so expression in if statement in 357 line is
> false. So next execution of while body (314 line), has got same
> preconditions as previous, thus it's infinite loop.

Was this reported upstream to squid-bugs@xxxxxxxxxxxxxxx? Has anyone
confirmed this, and if so, does it require a CVE #?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJROQF3AAoJEBYNRVNeJnmTq5oQANtdEmCVhIbR9RppkKuPsIP0
QW+sMJYIunEdUchS+p8IRQiN3IrD8ySDuyWeOSTW6riYopH1XhV1RMY67+JJ63kg
vR7Toh5GFTjKmd6HvrN7FX7yZ5UyupClX1WhBk2s8GTIhYckDCykvWePJwei2cT3
fRYc72jSsEoqKP5CTS9YK91Ap0FZRGDREt/V6yZwGkYAVh6j89XC5j95VPzNCigQ
QQquLNr0AaRQC2E/Ofa++GW8GHf1yGMOQ49ypEKr1n7CrY3uZD2/Gp968GPZx+DJ
/31KyBAW5v2e1cTIOMgan+mVR8PDHcWSKFQu3bRpd4JaeNkYWHsd66w2tclL8r6Q
N09+GJFiEdE9ycsHMHMyz8DcCtzLo6BnrP9NTHYzd5Q2CyNpNS0RnAVsFU0Bj2VX
WLA7JhcM0+5+UJvn9dIuNSaB7xVusKi5Q4YCP33FFULsDczKs5tFBrvrvEn3h9//
gol31UVSMpB00Bh5ijWifLmrRXJ9+RodxZUZ4PfmmllPA30iuoTqb0yhmVv314GG
5/T/PnsMYEAWSrsaqdcfWiWNLGyx/lqovrXofszratY7Urphp0OJNueN9Et7IPkZ
E42eXZt3x3FfJzFNA2WgXIW13aTQ+iRdAqMip+jmylfMr6JtABevu+V1JXvZkcHY
8E7GKbUGP4HexDIWiA0a
=tSGC
-----END PGP SIGNATURE-----


[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux