Re: squid-3.0.STABLE26: bug 3113: Squid can eat far too much memory when uploading files

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 05 Jan 2012 12:29:37 +1300

 On Wed, 04 Jan 2012 20:30:35 +0100, Bram wrote:
> Hi,
>
>
> Some questions about bug 3113 and squid-3.0.STABLE26
>
> http://bugs.squid-cache.org/show_bug.cgi?id=3113
> "Squid can eat far too much memory when uploading files."
>
> a) Does anyone have a backport for this bug to squid-3.0?
> The fix is commited on squid-3.1 and squid-3.2 but a patch does not
> appear to be avaiable
> for squid-3.0.

 3.0 is obsolete and this is a minor DoS vulnerability only opened as a
 vulnerability at all by recent browser changes.

 If you can verify that the port works without additional side effects
 I'm happy to apply it to the 3.0 branch for a snapshot update.

>
> b) Assuming the answer to question 'a)' is no:
> Is anyone able/willing to review the attached patch?
> This is a backport (or at least an attmept) to squid-3.0.
>
> The 'patch' is based on:
> * http://bugs.squid-cache.org/attachment.cgi?id=2327 - "Possible fix,
> fourth iteration"
> * http://bazaar.launchpad.net/~squid/squid/3.1/revision/10171 - "Bug
> 3113: Squid can eat far too much memory when uploading files"
>
> [I obviously tested this and everything appears to be working but a
> review would be appreciated]

 Seems okay for the bits it is changing. It is missing the cache_cf.cc
 config file input validation hunk which can be seen at the top of the
 bzr patch though.

 I have not reviewed for reads in 3.0 which need to have the
 makeSpaceAvailable() check added.

 Amos
Received on Wed Jan 04 2012 - 23:29:41 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 05 2012 - 12:00:07 MST