Bugtraq mailing list archives
Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc
From: Amos Jeffries <squid3 () treenet co nz>
Date: Fri, 08 Mar 2013 11:18:19 +1300
On 8/03/2013 10:07 a.m., Kurt Seifried wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/05/2013 01:53 PM, tytusromekiatomek () hushmail com wrote:################################################################ # DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc # ################################################################ # # Authors: # # 22733db72ab3ed94b5f8a1ffcde850251fe6f466 # c8e74ebd8392fda4788179f9a02bb49337638e7b # AKAT-1 # ####################################### # Versions: 3.2.5, 3.2.7 This error is only triggered when squid needs to generate an error page (for example backend node is not responding etc...) POC (request): -- cut -- GET http://127.0.0.1:1/foo HTTP/1.1 Accept-Language: , -- cut -- e.g : curl -H "Accept-Language: ," http://localhost:3129/ Code: strHdrAcptLangGetItem is called with pos equals 0, therefore first branch in if (316 line) is taken, because xisspace(hdr[pos]) is false, then pos++ is not executed (because hdr[0] is ','). In 335 line statement in while is also false because hdr[0] = ',', so whole loop body is omited. dt = lang, thus after assignment in 353 line *lang == '\0', so expression in if statement in 357 line is false. So next execution of while body (314 line), has got same preconditions as previous, thus it's infinite loop.Was this reported upstream to squid-bugs () squid-cache org? Has anyone confirmed this, and if so, does it require a CVE #?
I confirm it is possible. A regression was introduced in some 3.2 parser alterations.
A preliminary patch is attached which restores the Squid-3.1 behaviour.As this is triggerable by remote clients I am inclined to release an advisory. Affected stable versions are Squid-3.3 up to and including 3.3.2, Squid-3.2 up to and including 3.2.8.
Amos Jeffries Squid Project
- -- Kurt Seifried Red Hat Security Response Team (SRT)PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJROQF3AAoJEBYNRVNeJnmTq5oQANtdEmCVhIbR9RppkKuPsIP0 QW+sMJYIunEdUchS+p8IRQiN3IrD8ySDuyWeOSTW6riYopH1XhV1RMY67+JJ63kg vR7Toh5GFTjKmd6HvrN7FX7yZ5UyupClX1WhBk2s8GTIhYckDCykvWePJwei2cT3 fRYc72jSsEoqKP5CTS9YK91Ap0FZRGDREt/V6yZwGkYAVh6j89XC5j95VPzNCigQ QQquLNr0AaRQC2E/Ofa++GW8GHf1yGMOQ49ypEKr1n7CrY3uZD2/Gp968GPZx+DJ /31KyBAW5v2e1cTIOMgan+mVR8PDHcWSKFQu3bRpd4JaeNkYWHsd66w2tclL8r6Q N09+GJFiEdE9ycsHMHMyz8DcCtzLo6BnrP9NTHYzd5Q2CyNpNS0RnAVsFU0Bj2VX WLA7JhcM0+5+UJvn9dIuNSaB7xVusKi5Q4YCP33FFULsDczKs5tFBrvrvEn3h9// gol31UVSMpB00Bh5ijWifLmrRXJ9+RodxZUZ4PfmmllPA30iuoTqb0yhmVv314GG 5/T/PnsMYEAWSrsaqdcfWiWNLGyx/lqovrXofszratY7Urphp0OJNueN9Et7IPkZ E42eXZt3x3FfJzFNA2WgXIW13aTQ+iRdAqMip+jmylfMr6JtABevu+V1JXvZkcHY 8E7GKbUGP4HexDIWiA0a =tSGC -----END PGP SIGNATURE-----
Attachment:
accept_lang_vulnerability.patch
Description:
Current thread:
- Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc tytusromekiatomek (Mar 06)
- Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc Kurt Seifried (Mar 07)
- Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc Amos Jeffries (Mar 11)
- Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc Amos Jeffries (Mar 11)
- Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc Kurt Seifried (Mar 13)
- Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc Kurt Seifried (Mar 07)