Package: squid
Version: 2.6.4-1
Severity: normal
Hello,
recently I discovered the following bit of code in the source file
src/tools.c (function 'parseEtcHosts', around line 1169):
void
parseEtcHosts(void)
{
FILE *fp;
char buf[1024];
char buf2[512];
...
if (Config.appendDomain && !strchr(lt, '.')) {
/* I know it's ugly, but it's only at reconfig */
strncpy(buf2, lt, 512);
strncat(buf2, Config.appendDomain, 512 - strlen(lt));
This code is unsafe for two reasons: (1) lt comes directly from the
/etc/hosts file. It the length of this string is 512 characters or
longer, the 'strncpy' statement will not terminate the string 'buf2'.
(2) 'strncat' always adds a terminating '\0' after the appended
string. If the string 'Config.appendDomain' is 512-strlen(lt)
characters or longer, the terminating '\0' will be written just
_after_ the last byte of 'buf2'.
This does not look very dangerous but, I think, it should be fixed
anyway.
I hope this helps,
Jochen
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.13
Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
