1
=== modified file 'debian/changelog'
2
--- debian/changelog	2014-08-26 13:51:07 +0000
3
+++ debian/changelog	2014-11-18 17:48:36 +0000
4
@@ -1,3 +1,9 @@
5
1
squid3 (3.3.8-1ubuntu9) vivid; urgency=medium
6
2
7
3
  * Fix various ICMP handling issues in Squid pinger.
8
4
9
5
 -- Jorge Niedbalski <jorge.niedbalski@canonical.com>  Tue, 18 Nov 2014 14:47:33 -0300
10
6
11
1
squid3 (3.3.8-1ubuntu8) utopic; urgency=medium
7
squid3 (3.3.8-1ubuntu8) utopic; urgency=medium
12
2
8
13
3
  * SECURITY UPDATE: Ignore Range headers with unidentifiable byte-range
9
  * SECURITY UPDATE: Ignore Range headers with unidentifiable byte-range
14
4
10
15
=== added file 'debian/patches/fix-icmp-pinger-icmp4-6.patch'
16
--- debian/patches/fix-icmp-pinger-icmp4-6.patch	1970-01-01 00:00:00 +0000
17
+++ debian/patches/fix-icmp-pinger-icmp4-6.patch	2014-11-18 17:48:36 +0000
18
@@ -0,0 +1,255 @@
19
1
Description: Fix various ICMP handling issues in Squid pinger
20
2
21
3
* ICMP code type logging display could over-read the registered type
22
4
  string arrays.
23
5
24
6
* Malformed ICMP packets were accepted into processing with undefined
25
7
  and potentially nasty results.
26
8
27
9
Both sets of flaws can result in pinger segmentation fault and halting
28
10
the Squid functionality relying on pinger for correct operation.
29
11
30
12
Author: Jamie Strandboge <jamie@ubuntu.com>
31
13
Origin: upstream, http://bazaar.launchpad.net/~squid/squid/3.2/revision/11830
32
14
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1384943
33
15
34
16
--- squid3-3.3.8.orig/src/icmp/Icmp4.cc
35
17
+++ squid3-3.3.8/src/icmp/Icmp4.cc
36
18
@@ -41,26 +41,38 @@
37
19
 #include "IcmpPinger.h"
38
20
 #include "Debug.h"
39
21
 
40
22
-const char *icmpPktStr[] = {
41
23
-    "Echo Reply",
42
24
-    "ICMP 1",
43
25
-    "ICMP 2",
44
26
-    "Destination Unreachable",
45
27
-    "Source Quench",
46
28
-    "Redirect",
47
29
-    "ICMP 6",
48
30
-    "ICMP 7",
49
31
-    "Echo",
50
32
-    "ICMP 9",
51
33
-    "ICMP 10",
52
34
-    "Time Exceeded",
53
35
-    "Parameter Problem",
54
36
-    "Timestamp",
55
37
-    "Timestamp Reply",
56
38
-    "Info Request",
57
39
-    "Info Reply",
58
40
-    "Out of Range Type"
59
41
-};
60
42
+static const char *
61
43
+IcmpPacketType(uint8_t v)
62
44
+{
63
45
+    static const char *icmpPktStr[] = {
64
46
+        "Echo Reply",
65
47
+        "ICMP 1",
66
48
+        "ICMP 2",
67
49
+        "Destination Unreachable",
68
50
+        "Source Quench",
69
51
+        "Redirect",
70
52
+        "ICMP 6",
71
53
+        "ICMP 7",
72
54
+        "Echo",
73
55
+        "ICMP 9",
74
56
+        "ICMP 10",
75
57
+        "Time Exceeded",
76
58
+        "Parameter Problem",
77
59
+        "Timestamp",
78
60
+        "Timestamp Reply",
79
61
+        "Info Request",
80
62
+        "Info Reply",
81
63
+        "Out of Range Type"
82
64
+    };
83
65
+
84
66
+    if (v > 17) {
85
67
+        static char buf[50];
86
68
+        snprintf(buf, sizeof(buf), "ICMP %u (invalid)", v);
87
69
+        return buf;
88
70
+    }
89
71
+
90
72
+    return icmpPktStr[v];
91
73
+}
92
74
 
93
75
 Icmp4::Icmp4() : Icmp()
94
76
 {
95
77
@@ -187,6 +199,12 @@ Icmp4::Recv(void)
96
78
                  from->ai_addr,
97
79
                  &from->ai_addrlen);
98
80
 
99
81
+    if  (n <= 0) {
100
82
+        debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMP socket.");
101
83
+        Ip::Address::FreeAddrInfo(from);
102
84
+        return;
103
85
+    }
104
86
+
105
87
     preply.from = *from;
106
88
 
107
89
 #if GETTIMEOFDAY_NO_TZP
108
90
@@ -243,9 +261,15 @@ Icmp4::Recv(void)
109
91
 
110
92
     preply.psize = n - iphdrlen - (sizeof(icmpEchoData) - MAX_PKT4_SZ);
111
93
 
112
94
+    if (preply.psize < 0) {
113
95
+        debugs(42, DBG_CRITICAL, HERE << "Malformed ICMP packet.");
114
96
+        Ip::Address::FreeAddrInfo(from);
115
97
+        return;
116
98
+    }
117
99
+
118
100
     control.SendResult(preply, (sizeof(pingerReplyData) - MAX_PKT4_SZ + preply.psize) );
119
101
 
120
102
-    Log(preply.from, icmp->icmp_type, icmpPktStr[icmp->icmp_type], preply.rtt, preply.hops);
121
103
+    Log(preply.from, icmp->icmp_type, IcmpPacketType(icmp->icmp_type), preply.rtt, preply.hops);
122
104
     preply.from.FreeAddrInfo(from);
123
105
 }
124
106
 
125
107
--- squid3-3.3.8.orig/src/icmp/Icmp6.cc
126
108
+++ squid3-3.3.8/src/icmp/Icmp6.cc
127
109
@@ -51,56 +51,62 @@
128
110
 // Icmp6 OP-Codes
129
111
 // see http://www.iana.org/assignments/icmpv6-parameters
130
112
 // NP: LowPktStr is for codes 0-127
131
113
-static const char *icmp6LowPktStr[] = {
132
114
-    "ICMP 0",			// 0
133
115
-    "Destination Unreachable",	// 1 - RFC2463
134
116
-    "Packet Too Big", 		// 2 - RFC2463
135
117
-    "Time Exceeded",		// 3 - RFC2463
136
118
-    "Parameter Problem",		// 4 - RFC2463
137
119
-    "ICMP 5",			// 5
138
120
-    "ICMP 6",			// 6
139
121
-    "ICMP 7",			// 7
140
122
-    "ICMP 8",			// 8
141
123
-    "ICMP 9",			// 9
142
124
-    "ICMP 10"			// 10
143
125
-};
144
126
-
145
127
-// NP: HighPktStr is for codes 128-255
146
128
-static const char *icmp6HighPktStr[] = {
147
129
-    "Echo Request",					// 128 - RFC2463
148
130
-    "Echo Reply",					// 129 - RFC2463
149
131
-    "Multicast Listener Query",			// 130 - RFC2710
150
132
-    "Multicast Listener Report",			// 131 - RFC2710
151
133
-    "Multicast Listener Done",			// 132 - RFC2710
152
134
-    "Router Solicitation",				// 133 - RFC4861
153
135
-    "Router Advertisement",				// 134 - RFC4861
154
136
-    "Neighbor Solicitation",			// 135 - RFC4861
155
137
-    "Neighbor Advertisement",			// 136 - RFC4861
156
138
-    "Redirect Message",				// 137 - RFC4861
157
139
-    "Router Renumbering",				// 138 - Crawford
158
140
-    "ICMP Node Information Query",			// 139 - RFC4620
159
141
-    "ICMP Node Information Response",		// 140 - RFC4620
160
142
-    "Inverse Neighbor Discovery Solicitation",	// 141 - RFC3122
161
143
-    "Inverse Neighbor Discovery Advertisement",	// 142 - RFC3122
162
144
-    "Version 2 Multicast Listener Report",		// 143 - RFC3810
163
145
-    "Home Agent Address Discovery Request",		// 144 - RFC3775
164
146
-    "Home Agent Address Discovery Reply",		// 145 - RFC3775
165
147
-    "Mobile Prefix Solicitation",			// 146 - RFC3775
166
148
-    "Mobile Prefix Advertisement",			// 147 - RFC3775
167
149
-    "Certification Path Solicitation",		// 148 - RFC3971
168
150
-    "Certification Path Advertisement",		// 149 - RFC3971
169
151
-    "ICMP Experimental (150)",			// 150 - RFC4065
170
152
-    "Multicast Router Advertisement",		// 151 - RFC4286
171
153
-    "Multicast Router Solicitation",		// 152 - RFC4286
172
154
-    "Multicast Router Termination",			// 153 - [RFC4286]
173
155
-    "ICMP 154",
174
156
-    "ICMP 155",
175
157
-    "ICMP 156",
176
158
-    "ICMP 157",
177
159
-    "ICMP 158",
178
160
-    "ICMP 159",
179
161
-    "ICMP 160"
180
162
-};
181
163
+
182
164
+static const char *
183
165
+IcmpPacketType(uint8_t v)
184
166
+{
185
167
+    // NP: LowPktStr is for codes 0-127
186
168
+    static const char *icmp6LowPktStr[] = {
187
169
+        "ICMPv6 0",			// 0
188
170
+        "Destination Unreachable",	// 1 - RFC2463
189
171
+        "Packet Too Big", 		// 2 - RFC2463
190
172
+        "Time Exceeded",		// 3 - RFC2463
191
173
+        "Parameter Problem",		// 4 - RFC2463
192
174
+    };
193
175
+
194
176
+    // low codes 1-4 registered
195
177
+    if (0 < v && v < 5)
196
178
+        return icmp6LowPktStr[(int)(v&0x7f)];
197
179
+
198
180
+    // NP: HighPktStr is for codes 128-255
199
181
+    static const char *icmp6HighPktStr[] = {
200
182
+        "Echo Request",					// 128 - RFC2463
201
183
+        "Echo Reply",					// 129 - RFC2463
202
184
+        "Multicast Listener Query",			// 130 - RFC2710
203
185
+        "Multicast Listener Report",			// 131 - RFC2710
204
186
+        "Multicast Listener Done",			// 132 - RFC2710
205
187
+        "Router Solicitation",				// 133 - RFC4861
206
188
+        "Router Advertisement",				// 134 - RFC4861
207
189
+        "Neighbor Solicitation",			// 135 - RFC4861
208
190
+        "Neighbor Advertisement",			// 136 - RFC4861
209
191
+        "Redirect Message",				// 137 - RFC4861
210
192
+        "Router Renumbering",				// 138 - Crawford
211
193
+        "ICMP Node Information Query",			// 139 - RFC4620
212
194
+        "ICMP Node Information Response",		// 140 - RFC4620
213
195
+        "Inverse Neighbor Discovery Solicitation",	// 141 - RFC3122
214
196
+        "Inverse Neighbor Discovery Advertisement",	// 142 - RFC3122
215
197
+        "Version 2 Multicast Listener Report",		// 143 - RFC3810
216
198
+        "Home Agent Address Discovery Request",		// 144 - RFC3775
217
199
+        "Home Agent Address Discovery Reply",		// 145 - RFC3775
218
200
+        "Mobile Prefix Solicitation",			// 146 - RFC3775
219
201
+        "Mobile Prefix Advertisement",			// 147 - RFC3775
220
202
+        "Certification Path Solicitation",		// 148 - RFC3971
221
203
+        "Certification Path Advertisement",		// 149 - RFC3971
222
204
+        "ICMP Experimental (150)",			// 150 - RFC4065
223
205
+        "Multicast Router Advertisement",		// 151 - RFC4286
224
206
+        "Multicast Router Solicitation",		// 152 - RFC4286
225
207
+        "Multicast Router Termination",			// 153 - [RFC4286]
226
208
+    };
227
209
+
228
210
+    // high codes 127-153 registered
229
211
+    if (127 < v && v < 154)
230
212
+        return icmp6HighPktStr[(int)(v&0x7f)];
231
213
+
232
214
+    // give all others a generic display
233
215
+    static char buf[50];
234
216
+    snprintf(buf, sizeof(buf), "ICMPv6 %u", v);
235
217
+    return buf;
236
218
+}
237
219
 
238
220
 Icmp6::Icmp6() : Icmp()
239
221
 {
240
222
@@ -236,6 +242,12 @@ Icmp6::Recv(void)
241
223
                  from->ai_addr,
242
224
                  &from->ai_addrlen);
243
225
 
244
226
+    if (n <= 0) {
245
227
+        debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMPv6 socket.");
246
228
+        Ip::Address::FreeAddrInfo(from);
247
229
+        return;
248
230
+    }
249
231
+
250
232
     preply.from = *from;
251
233
 
252
234
 #if GETTIMEOFDAY_NO_TZP
253
235
@@ -291,9 +303,9 @@ Icmp6::Recv(void)
254
236
 
255
237
         default:
256
238
             debugs(42, 8, HERE << preply.from << " said: " << icmp6header->icmp6_type << "/" << (int)icmp6header->icmp6_code << " " <<
257
239
-                   ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] )
258
240
-                  );
259
241
+                   IcmpPacketType(icmp6header->icmp6_type));
260
242
         }
261
243
+
262
244
         preply.from.FreeAddrInfo(from);
263
245
         return;
264
246
     }
265
247
@@ -331,7 +343,7 @@ Icmp6::Recv(void)
266
248
 
267
249
     Log(preply.from,
268
250
         icmp6header->icmp6_type,
269
251
-        ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ),
270
252
+        IcmpPacketType(icmp6header->icmp6_type),
271
253
         preply.rtt,
272
254
         preply.hops);
273
255
 
274
0
256
275
=== modified file 'debian/patches/series'
276
--- debian/patches/series	2014-08-26 13:51:07 +0000
277
+++ debian/patches/series	2014-11-18 17:48:36 +0000
278
@@ -7,3 +7,4 @@
279
7
fix-pod2man-config.test.patch
7
fix-pod2man-config.test.patch
280
8
fix-distribution.patch
8
fix-distribution.patch
281
9
CVE-2014-3609.patch
9
CVE-2014-3609.patch
282
10
fix-icmp-pinger-icmp4-6.patch
Status:	Merged
Merge reported by:	Iain Lane
Merged at revision:	not available
Proposed branch:	lp:~niedbalski/ubuntu/vivid/squid3/fix-pinger-icmp
Merge into:	lp:ubuntu/vivid/squid3
Diff against target:	282 lines (+262/-0) 3 files modified debian/changelog (+6/-0) debian/patches/fix-icmp-pinger-icmp4-6.patch (+255/-0) debian/patches/series (+1/-0)
To merge this branch:	bzr merge lp:~niedbalski/ubuntu/vivid/squid3/fix-pinger-icmp
Related bugs:	Link a bug report
Reviewer	Review Type	Date Requested	Status
Iain Lane		2014-11-18	Approve on 2014-11-24
Review via email: mp+242098@code.launchpad.net