Ubuntu
squid3 package

Merge lp:~niedbalski/ubuntu/vivid/squid3/fix-pinger-icmp into lp:ubuntu/vivid/squid3

  1. Vivid (15.04)
  2. fix-pinger-icmp
  3. Merge into vivid
Proposed by Jorge Niedbalski
Status: Merged
Merge reported by: Iain Lane
Merged at revision: not available
Proposed branch: lp:~niedbalski/ubuntu/vivid/squid3/fix-pinger-icmp
Merge into: lp:ubuntu/vivid/squid3
Diff against target: 282 lines (+262/-0)
3 files modified
debian/changelog (+6/-0)
debian/patches/fix-icmp-pinger-icmp4-6.patch (+255/-0)
debian/patches/series (+1/-0)
To merge this branch: bzr merge lp:~niedbalski/ubuntu/vivid/squid3/fix-pinger-icmp
Reviewer Review Type Date Requested Status
Iain Lane Approve
Review via email: mp+242098@code.launchpad.net

Description of the change

Fixes LP: #1384943

Description: Fix various ICMP handling issues in Squid pinger

* ICMP code type logging display could over-read the registered type
  string arrays.

* Malformed ICMP packets were accepted into processing with undefined
  and potentially nasty results.

Both sets of flaws can result in pinger segmentation fault and halting
the Squid functionality relying on pinger for correct operation.

To post a comment you must log in.
lp:~niedbalski/ubuntu/vivid/squid3/fix-pinger-icmp updated
59. By Jorge Niedbalski

[changelog] Fix various ICMP handling issues in Squid pinger.

Revision history for this message
Iain Lane (laney) wrote :

Thanks, uploaded. It'd probably be good to merge the newer upstream version that Debian has.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2014-08-26 13:51:07 +0000
3+++ debian/changelog 2014-11-18 17:48:36 +0000
4@@ -1,3 +1,9 @@
5+squid3 (3.3.8-1ubuntu9) vivid; urgency=medium
6+
7+ * Fix various ICMP handling issues in Squid pinger.
8+
9+ -- Jorge Niedbalski <jorge.niedbalski@canonical.com> Tue, 18 Nov 2014 14:47:33 -0300
10+
11 squid3 (3.3.8-1ubuntu8) utopic; urgency=medium
12
13 * SECURITY UPDATE: Ignore Range headers with unidentifiable byte-range
14
15=== added file 'debian/patches/fix-icmp-pinger-icmp4-6.patch'
16--- debian/patches/fix-icmp-pinger-icmp4-6.patch 1970-01-01 00:00:00 +0000
17+++ debian/patches/fix-icmp-pinger-icmp4-6.patch 2014-11-18 17:48:36 +0000
18@@ -0,0 +1,255 @@
19+Description: Fix various ICMP handling issues in Squid pinger
20+
21+* ICMP code type logging display could over-read the registered type
22+ string arrays.
23+
24+* Malformed ICMP packets were accepted into processing with undefined
25+ and potentially nasty results.
26+
27+Both sets of flaws can result in pinger segmentation fault and halting
28+the Squid functionality relying on pinger for correct operation.
29+
30+Author: Jamie Strandboge <jamie@ubuntu.com>
31+Origin: upstream, http://bazaar.launchpad.net/~squid/squid/3.2/revision/11830
32+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1384943
33+
34+--- squid3-3.3.8.orig/src/icmp/Icmp4.cc
35++++ squid3-3.3.8/src/icmp/Icmp4.cc
36+@@ -41,26 +41,38 @@
37+ #include "IcmpPinger.h"
38+ #include "Debug.h"
39+
40+-const char *icmpPktStr[] = {
41+- "Echo Reply",
42+- "ICMP 1",
43+- "ICMP 2",
44+- "Destination Unreachable",
45+- "Source Quench",
46+- "Redirect",
47+- "ICMP 6",
48+- "ICMP 7",
49+- "Echo",
50+- "ICMP 9",
51+- "ICMP 10",
52+- "Time Exceeded",
53+- "Parameter Problem",
54+- "Timestamp",
55+- "Timestamp Reply",
56+- "Info Request",
57+- "Info Reply",
58+- "Out of Range Type"
59+-};
60++static const char *
61++IcmpPacketType(uint8_t v)
62++{
63++ static const char *icmpPktStr[] = {
64++ "Echo Reply",
65++ "ICMP 1",
66++ "ICMP 2",
67++ "Destination Unreachable",
68++ "Source Quench",
69++ "Redirect",
70++ "ICMP 6",
71++ "ICMP 7",
72++ "Echo",
73++ "ICMP 9",
74++ "ICMP 10",
75++ "Time Exceeded",
76++ "Parameter Problem",
77++ "Timestamp",
78++ "Timestamp Reply",
79++ "Info Request",
80++ "Info Reply",
81++ "Out of Range Type"
82++ };
83++
84++ if (v > 17) {
85++ static char buf[50];
86++ snprintf(buf, sizeof(buf), "ICMP %u (invalid)", v);
87++ return buf;
88++ }
89++
90++ return icmpPktStr[v];
91++}
92+
93+ Icmp4::Icmp4() : Icmp()
94+ {
95+@@ -187,6 +199,12 @@ Icmp4::Recv(void)
96+ from->ai_addr,
97+ &from->ai_addrlen);
98+
99++ if (n <= 0) {
100++ debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMP socket.");
101++ Ip::Address::FreeAddrInfo(from);
102++ return;
103++ }
104++
105+ preply.from = *from;
106+
107+ #if GETTIMEOFDAY_NO_TZP
108+@@ -243,9 +261,15 @@ Icmp4::Recv(void)
109+
110+ preply.psize = n - iphdrlen - (sizeof(icmpEchoData) - MAX_PKT4_SZ);
111+
112++ if (preply.psize < 0) {
113++ debugs(42, DBG_CRITICAL, HERE << "Malformed ICMP packet.");
114++ Ip::Address::FreeAddrInfo(from);
115++ return;
116++ }
117++
118+ control.SendResult(preply, (sizeof(pingerReplyData) - MAX_PKT4_SZ + preply.psize) );
119+
120+- Log(preply.from, icmp->icmp_type, icmpPktStr[icmp->icmp_type], preply.rtt, preply.hops);
121++ Log(preply.from, icmp->icmp_type, IcmpPacketType(icmp->icmp_type), preply.rtt, preply.hops);
122+ preply.from.FreeAddrInfo(from);
123+ }
124+
125+--- squid3-3.3.8.orig/src/icmp/Icmp6.cc
126++++ squid3-3.3.8/src/icmp/Icmp6.cc
127+@@ -51,56 +51,62 @@
128+ // Icmp6 OP-Codes
129+ // see http://www.iana.org/assignments/icmpv6-parameters
130+ // NP: LowPktStr is for codes 0-127
131+-static const char *icmp6LowPktStr[] = {
132+- "ICMP 0", // 0
133+- "Destination Unreachable", // 1 - RFC2463
134+- "Packet Too Big", // 2 - RFC2463
135+- "Time Exceeded", // 3 - RFC2463
136+- "Parameter Problem", // 4 - RFC2463
137+- "ICMP 5", // 5
138+- "ICMP 6", // 6
139+- "ICMP 7", // 7
140+- "ICMP 8", // 8
141+- "ICMP 9", // 9
142+- "ICMP 10" // 10
143+-};
144+-
145+-// NP: HighPktStr is for codes 128-255
146+-static const char *icmp6HighPktStr[] = {
147+- "Echo Request", // 128 - RFC2463
148+- "Echo Reply", // 129 - RFC2463
149+- "Multicast Listener Query", // 130 - RFC2710
150+- "Multicast Listener Report", // 131 - RFC2710
151+- "Multicast Listener Done", // 132 - RFC2710
152+- "Router Solicitation", // 133 - RFC4861
153+- "Router Advertisement", // 134 - RFC4861
154+- "Neighbor Solicitation", // 135 - RFC4861
155+- "Neighbor Advertisement", // 136 - RFC4861
156+- "Redirect Message", // 137 - RFC4861
157+- "Router Renumbering", // 138 - Crawford
158+- "ICMP Node Information Query", // 139 - RFC4620
159+- "ICMP Node Information Response", // 140 - RFC4620
160+- "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122
161+- "Inverse Neighbor Discovery Advertisement", // 142 - RFC3122
162+- "Version 2 Multicast Listener Report", // 143 - RFC3810
163+- "Home Agent Address Discovery Request", // 144 - RFC3775
164+- "Home Agent Address Discovery Reply", // 145 - RFC3775
165+- "Mobile Prefix Solicitation", // 146 - RFC3775
166+- "Mobile Prefix Advertisement", // 147 - RFC3775
167+- "Certification Path Solicitation", // 148 - RFC3971
168+- "Certification Path Advertisement", // 149 - RFC3971
169+- "ICMP Experimental (150)", // 150 - RFC4065
170+- "Multicast Router Advertisement", // 151 - RFC4286
171+- "Multicast Router Solicitation", // 152 - RFC4286
172+- "Multicast Router Termination", // 153 - [RFC4286]
173+- "ICMP 154",
174+- "ICMP 155",
175+- "ICMP 156",
176+- "ICMP 157",
177+- "ICMP 158",
178+- "ICMP 159",
179+- "ICMP 160"
180+-};
181++
182++static const char *
183++IcmpPacketType(uint8_t v)
184++{
185++ // NP: LowPktStr is for codes 0-127
186++ static const char *icmp6LowPktStr[] = {
187++ "ICMPv6 0", // 0
188++ "Destination Unreachable", // 1 - RFC2463
189++ "Packet Too Big", // 2 - RFC2463
190++ "Time Exceeded", // 3 - RFC2463
191++ "Parameter Problem", // 4 - RFC2463
192++ };
193++
194++ // low codes 1-4 registered
195++ if (0 < v && v < 5)
196++ return icmp6LowPktStr[(int)(v&0x7f)];
197++
198++ // NP: HighPktStr is for codes 128-255
199++ static const char *icmp6HighPktStr[] = {
200++ "Echo Request", // 128 - RFC2463
201++ "Echo Reply", // 129 - RFC2463
202++ "Multicast Listener Query", // 130 - RFC2710
203++ "Multicast Listener Report", // 131 - RFC2710
204++ "Multicast Listener Done", // 132 - RFC2710
205++ "Router Solicitation", // 133 - RFC4861
206++ "Router Advertisement", // 134 - RFC4861
207++ "Neighbor Solicitation", // 135 - RFC4861
208++ "Neighbor Advertisement", // 136 - RFC4861
209++ "Redirect Message", // 137 - RFC4861
210++ "Router Renumbering", // 138 - Crawford
211++ "ICMP Node Information Query", // 139 - RFC4620
212++ "ICMP Node Information Response", // 140 - RFC4620
213++ "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122
214++ "Inverse Neighbor Discovery Advertisement", // 142 - RFC3122
215++ "Version 2 Multicast Listener Report", // 143 - RFC3810
216++ "Home Agent Address Discovery Request", // 144 - RFC3775
217++ "Home Agent Address Discovery Reply", // 145 - RFC3775
218++ "Mobile Prefix Solicitation", // 146 - RFC3775
219++ "Mobile Prefix Advertisement", // 147 - RFC3775
220++ "Certification Path Solicitation", // 148 - RFC3971
221++ "Certification Path Advertisement", // 149 - RFC3971
222++ "ICMP Experimental (150)", // 150 - RFC4065
223++ "Multicast Router Advertisement", // 151 - RFC4286
224++ "Multicast Router Solicitation", // 152 - RFC4286
225++ "Multicast Router Termination", // 153 - [RFC4286]
226++ };
227++
228++ // high codes 127-153 registered
229++ if (127 < v && v < 154)
230++ return icmp6HighPktStr[(int)(v&0x7f)];
231++
232++ // give all others a generic display
233++ static char buf[50];
234++ snprintf(buf, sizeof(buf), "ICMPv6 %u", v);
235++ return buf;
236++}
237+
238+ Icmp6::Icmp6() : Icmp()
239+ {
240+@@ -236,6 +242,12 @@ Icmp6::Recv(void)
241+ from->ai_addr,
242+ &from->ai_addrlen);
243+
244++ if (n <= 0) {
245++ debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMPv6 socket.");
246++ Ip::Address::FreeAddrInfo(from);
247++ return;
248++ }
249++
250+ preply.from = *from;
251+
252+ #if GETTIMEOFDAY_NO_TZP
253+@@ -291,9 +303,9 @@ Icmp6::Recv(void)
254+
255+ default:
256+ debugs(42, 8, HERE << preply.from << " said: " << icmp6header->icmp6_type << "/" << (int)icmp6header->icmp6_code << " " <<
257+- ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] )
258+- );
259++ IcmpPacketType(icmp6header->icmp6_type));
260+ }
261++
262+ preply.from.FreeAddrInfo(from);
263+ return;
264+ }
265+@@ -331,7 +343,7 @@ Icmp6::Recv(void)
266+
267+ Log(preply.from,
268+ icmp6header->icmp6_type,
269+- ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ),
270++ IcmpPacketType(icmp6header->icmp6_type),
271+ preply.rtt,
272+ preply.hops);
273+
274
275=== modified file 'debian/patches/series'
276--- debian/patches/series 2014-08-26 13:51:07 +0000
277+++ debian/patches/series 2014-11-18 17:48:36 +0000
278@@ -7,3 +7,4 @@
279 fix-pod2man-config.test.patch
280 fix-distribution.patch
281 CVE-2014-3609.patch
282+fix-icmp-pinger-icmp4-6.patch

Subscribers

People subscribed via source and target branches