Description: fix denial of service via ESI responses Origin: upstream, http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823968 Index: squid3-3.5.12/src/client_side_request.cc =================================================================== --- squid3-3.5.12.orig/src/client_side_request.cc 2015-12-02 13:10:29.000000000 -0500 +++ squid3-3.5.12/src/client_side_request.cc 2016-06-07 08:08:22.755895992 -0400 @@ -141,16 +141,18 @@ setConn(aConn); al = new AccessLogEntry; al->cache.start_time = current_time; - al->tcpClient = clientConnection = aConn->clientConnection; - al->cache.port = aConn->port; - al->cache.caddr = aConn->log_addr; + if (aConn) { + al->tcpClient = clientConnection = aConn->clientConnection; + al->cache.port = aConn->port; + al->cache.caddr = aConn->log_addr; #if USE_OPENSSL - if (aConn->clientConnection != NULL && aConn->clientConnection->isOpen()) { - if (SSL *ssl = fd_table[aConn->clientConnection->fd].ssl) - al->cache.sslClientCert.reset(SSL_get_peer_certificate(ssl)); - } + if (aConn->clientConnection != NULL && aConn->clientConnection->isOpen()) { + if (SSL *ssl = fd_table[aConn->clientConnection->fd].ssl) + al->cache.sslClientCert.reset(SSL_get_peer_certificate(ssl)); + } #endif + } dlinkAdd(this, &active, &ClientActiveRequests); #if USE_ADAPTATION request_satisfaction_mode = false; Index: squid3-3.5.12/src/esi/Context.h =================================================================== --- squid3-3.5.12.orig/src/esi/Context.h 2015-12-02 13:10:29.000000000 -0500 +++ squid3-3.5.12/src/esi/Context.h 2016-06-07 08:08:22.755895992 -0400 @@ -13,6 +13,7 @@ #include "err_type.h" #include "esi/Element.h" #include "esi/Parser.h" +#include "HttpReply.h" #include "http/StatusCode.h" class ESIVarState; @@ -91,7 +92,7 @@ err_type errorpage; /* if we error what page to use */ Http::StatusCode errorstatus; /* if we error, what code to return */ char *errormessage; /* error to pass to error page */ - HttpReply *rep; /* buffered until we pass data downstream */ + HttpReply::Pointer rep; /* buffered until we pass data downstream */ ESISegment::Pointer buffered; /* unprocessed data - for whatever reason */ ESISegment::Pointer incoming; /* processed data we are waiting to send, or for Index: squid3-3.5.12/src/esi/Esi.cc =================================================================== --- squid3-3.5.12.orig/src/esi/Esi.cc 2016-06-07 08:07:35.407220931 -0400 +++ squid3-3.5.12/src/esi/Esi.cc 2016-06-07 08:08:22.755895992 -0400 @@ -573,7 +573,7 @@ #endif - if (!(rep || (outbound.getRaw() && + if (!(rep != NULL || (outbound.getRaw() && outbound->len && (outbound_offset <= outbound->len)))) { debugs(86, 5, "ESIContext::send: Nothing to send."); return 0; @@ -618,18 +618,18 @@ flags.clientwantsdata = 0; debugs(86, 5, "ESIContext::send: this=" << this << " Client no longer wants data "); /* Deal with re-entrancy */ - HttpReply *temprep = rep; + HttpReply::Pointer temprep = rep; rep = NULL; /* freed downstream */ - if (temprep && varState) - varState->buildVary (temprep); + if (temprep != NULL && varState) + varState->buildVary(temprep.getRaw()); { StoreIOBuffer tempBuffer; tempBuffer.length = len; tempBuffer.offset = pos - len; tempBuffer.data = next->readBuffer.data; - clientStreamCallback (thisNode, http, temprep, tempBuffer); + clientStreamCallback (thisNode, http, temprep.getRaw(), tempBuffer); } if (len == 0) @@ -1259,7 +1259,7 @@ ++parserState.stackdepth; } - if (rep && !parserState.inited()) + if (rep != NULL && !parserState.inited()) parserState.init(this); /* we have data */ @@ -1398,7 +1398,7 @@ { debugs(86, 5, HERE << "Freeing for this=" << this); - HTTPMSGUNLOCK(rep); + rep = NULL; // refcounted finishChildren ();