diff -u -r -N squid-3.2.3/ChangeLog squid-3.2.4/ChangeLog --- squid-3.2.3/ChangeLog 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/ChangeLog 2012-12-02 22:23:10.000000000 +1300 @@ -1,3 +1,15 @@ +Changes to squid-3.2.4 (03 Dec 2012): + + - Ported: urllogin ACL from squid 2.7 + - Bug 3688: Lots of Orphan Comm:Connections to ICAP server + - Bug 3677: Port un-pinning logic changes from squid 3.3 + - Bug 3405: ssl_crtd crashes failing to remove certificate + - ... and major bugs fixed in squid 3.1.22 + - Fix accept_filter on Linux + - Remove 'Bungled' warning on missing component directives + - ... and many buffer and memory leak issues in the bundled helpers + - ... and a small amount of code polishing + Changes to squid-3.2.3 (21 Oct 2012): - Regression: SMP crashes on startup with workers > 1 @@ -435,6 +447,14 @@ - ... and a great many testing improvements - ... and many documentation updates +Changes to squid-3.1.22 (03 Dec 2012): + + - Bug 3685: Squid hangs in Delay Pools ClassCBucket::update + - Bug 3659: read_timeout problem with HTTPS + - Bug 3654: Fix IPv6 enabled squidclient + - Bug 3189: AIO thread race on pipe() initialization + - cachemgr.cgi: Memory Leaks and DoS Vulnerability + Changes to squid-3.1.21 (23 Sep 2012): - Bug 3622: peerClearRRStart scheduling multiple events diff -u -r -N squid-3.2.3/configure squid-3.2.4/configure --- squid-3.2.3/configure 2012-10-21 01:40:38.000000000 +1300 +++ squid-3.2.4/configure 2012-12-02 22:24:01.000000000 +1300 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.2.3. +# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.2.4. # # Report bugs to . # @@ -575,8 +575,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='3.2.3' -PACKAGE_STRING='Squid Web Proxy 3.2.3' +PACKAGE_VERSION='3.2.4' +PACKAGE_STRING='Squid Web Proxy 3.2.4' PACKAGE_BUGREPORT='http://www.squid-cache.org/bugs/' PACKAGE_URL='' @@ -1571,7 +1571,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 3.2.3 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 3.2.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1641,7 +1641,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 3.2.3:";; + short | recursive ) echo "Configuration of Squid Web Proxy 3.2.4:";; esac cat <<\_ACEOF @@ -2019,7 +2019,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 3.2.3 +Squid Web Proxy configure 3.2.4 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. @@ -3115,7 +3115,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 3.2.3, which was +It was created by Squid Web Proxy $as_me 3.2.4, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -3934,7 +3934,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='3.2.3' + VERSION='3.2.4' cat >>confdefs.h <<_ACEOF @@ -30894,7 +30894,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 3.2.3, which was +This file was extended by Squid Web Proxy $as_me 3.2.4, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -30960,7 +30960,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 3.2.3 +Squid Web Proxy config.status 3.2.4 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" diff -u -r -N squid-3.2.3/configure.ac squid-3.2.4/configure.ac --- squid-3.2.3/configure.ac 2012-10-21 01:40:38.000000000 +1300 +++ squid-3.2.4/configure.ac 2012-12-02 22:24:01.000000000 +1300 @@ -3,7 +3,7 @@ dnl dnl dnl -AC_INIT([Squid Web Proxy],[3.2.3],[http://www.squid-cache.org/bugs/],[squid]) +AC_INIT([Squid Web Proxy],[3.2.4],[http://www.squid-cache.org/bugs/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) diff -u -r -N squid-3.2.3/helpers/basic_auth/DB/basic_db_auth.8 squid-3.2.4/helpers/basic_auth/DB/basic_db_auth.8 --- squid-3.2.3/helpers/basic_auth/DB/basic_db_auth.8 2012-10-21 01:58:57.000000000 +1300 +++ squid-3.2.4/helpers/basic_auth/DB/basic_db_auth.8 2012-12-02 22:40:51.000000000 +1300 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 1" -.TH BASIC_DB_AUTH 1 "2012-10-20" "perl v5.10.1" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 1 "2012-12-02" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.2.3/helpers/basic_auth/MSNT/confload.cc squid-3.2.4/helpers/basic_auth/MSNT/confload.cc --- squid-3.2.3/helpers/basic_auth/MSNT/confload.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/helpers/basic_auth/MSNT/confload.cc 2012-12-02 22:23:10.000000000 +1300 @@ -85,6 +85,7 @@ Confbuf[2048] = '\0'; ProcessLine(Confbuf); } + fclose(ConfigFile); /* * Check that at least one server is being queried. Report error if not. @@ -95,7 +96,6 @@ syslog(LOG_ERR, "OpenConfigFile: No servers set in %s. At least one is needed.", CONFIGFILE); return 1; } - fclose(ConfigFile); return 0; } diff -u -r -N squid-3.2.3/helpers/basic_auth/MSNT/usersfile.cc squid-3.2.4/helpers/basic_auth/MSNT/usersfile.cc --- squid-3.2.3/helpers/basic_auth/MSNT/usersfile.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/helpers/basic_auth/MSNT/usersfile.cc 2012-12-02 22:23:10.000000000 +1300 @@ -83,14 +83,17 @@ * Clear the allowed user string. Return. */ if (fstat(fileno(fp), &FileBuf) < 0) { syslog(LOG_ERR, "%s: %s", path, strerror(errno)); + fclose(fp); return 1; } /* If it exists, save the modification time and size */ uf->LMT = FileBuf.st_mtime; /* Handle the special case of a zero length file */ - if (FileBuf.st_size == 0) + if (FileBuf.st_size == 0) { + fclose(fp); return 0; + } /* * Read the file into memory diff -u -r -N squid-3.2.3/helpers/basic_auth/NCSA/basic_ncsa_auth.cc squid-3.2.4/helpers/basic_auth/NCSA/basic_ncsa_auth.cc --- squid-3.2.3/helpers/basic_auth/NCSA/basic_ncsa_auth.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/helpers/basic_auth/NCSA/basic_ncsa_auth.cc 2012-12-02 22:23:10.000000000 +1300 @@ -65,7 +65,7 @@ read_passwd_file(const char *passwdfile) { FILE *f; - char buf[8192]; + char buf[HELPER_INPUT_BUFFER]; user_data *u; char *user; char *passwd; @@ -84,11 +84,18 @@ fprintf(stderr, "FATAL: %s: %s\n", passwdfile, xstrerror()); exit(1); } - while (fgets(buf, 8192, f) != NULL) { + unsigned int lineCount = 0; + buf[HELPER_INPUT_BUFFER-1] = '\0'; + while (fgets(buf, sizeof(buf)-1, f) != NULL) { + ++lineCount; if ((buf[0] == '#') || (buf[0] == ' ') || (buf[0] == '\t') || (buf[0] == '\n')) continue; user = strtok(buf, ":\n\r"); + if (user == NULL) { + fprintf(stderr, "ERROR: Missing user name at %s line %d\n", passwdfile, lineCount); + continue; + } passwd = strtok(NULL, ":\n\r"); if ((strlen(user) > 0) && passwd) { u = static_cast(xmalloc(sizeof(*u))); diff -u -r -N squid-3.2.3/helpers/basic_auth/PAM/basic_pam_auth.cc squid-3.2.4/helpers/basic_auth/PAM/basic_pam_auth.cc --- squid-3.2.3/helpers/basic_auth/PAM/basic_pam_auth.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/helpers/basic_auth/PAM/basic_pam_auth.cc 2012-12-02 22:23:10.000000000 +1300 @@ -260,8 +260,7 @@ /* Authentication */ retval = PAM_SUCCESS; if (ttl != 0) { - if (retval == PAM_SUCCESS) - retval = pam_set_item(pamh, PAM_USER, user); + retval = pam_set_item(pamh, PAM_USER, user); if (retval == PAM_SUCCESS) retval = pam_set_item(pamh, PAM_CONV, &conv); } @@ -278,12 +277,11 @@ /* cleanup */ retval = PAM_SUCCESS; #if defined(PAM_AUTHTOK) - if (ttl != 0) { - if (retval == PAM_SUCCESS) - retval = pam_set_item(pamh, PAM_AUTHTOK, NULL); + if (ttl != 0 && pamh) { + retval = pam_set_item(pamh, PAM_AUTHTOK, NULL); } #endif - if (ttl == 0 || retval != PAM_SUCCESS) { + if (pamh && (ttl == 0 || retval != PAM_SUCCESS)) { retval = pam_end(pamh, retval); if (retval != PAM_SUCCESS) { debug("WARNING: failed to release PAM authenticator\n"); diff -u -r -N squid-3.2.3/helpers/basic_auth/RADIUS/basic_radius_auth.cc squid-3.2.4/helpers/basic_auth/RADIUS/basic_radius_auth.cc --- squid-3.2.3/helpers/basic_auth/RADIUS/basic_radius_auth.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/helpers/basic_auth/RADIUS/basic_radius_auth.cc 2012-12-02 22:23:10.000000000 +1300 @@ -322,7 +322,7 @@ length = MAXPWNAM; } *ptr = length + 2; - ++ptr; + ptr = (unsigned char*)send_buffer + sizeof(AUTH_HDR); memcpy(ptr, username, length); ptr += length; total_length += length + 2; @@ -425,7 +425,13 @@ * Send the request we've built. */ gettimeofday(&sent, NULL); - send(socket_fd, (char *) auth, total_length, 0); + if (send(socket_fd, (char *) auth, total_length, 0) < 0) { + // EAGAIN is expected at high traffic, just retry + // TODO: block/sleep a few ms to let the apparently full buffer drain ? + if (errno != EAGAIN && errno != EWOULDBLOCK) + fprintf(stderr,"ERROR: RADIUS send() failure: %s\n", xstrerror()); + continue; + } while ((time_spent = time_since(&sent)) < 1000000) { struct timeval tv; int rc, len; @@ -489,16 +495,20 @@ cfname = optarg; break; case 'h': - strcpy(server, optarg); + strncpy(server, optarg, sizeof(server)-1); + server[sizeof(server)-1] = '\0'; break; case 'p': - strcpy(svc_name, optarg); + strncpy(svc_name, optarg, sizeof(svc_name)-1); + svc_name[sizeof(svc_name)-1] = '\0'; break; case 'w': - strcpy(secretkey, optarg); + strncpy(secretkey, optarg, sizeof(secretkey)-1); + secretkey[sizeof(secretkey)-1] = '\0'; break; case 'i': - strcpy(identifier, optarg); + strncpy(identifier, optarg, sizeof(identifier)-1); + identifier[sizeof(identifier)-1] = '\0'; break; case 't': retries = atoi(optarg); @@ -566,7 +576,10 @@ exit(1); } #ifdef O_NONBLOCK - fcntl(sockfd, F_SETFL, fcntl(sockfd, F_GETFL, 0) | O_NONBLOCK); + if (fcntl(sockfd, F_SETFL, fcntl(sockfd, F_GETFL, 0) | O_NONBLOCK) < 0) { + fprintf(stderr,"%s| ERROR: fcntl() failure: %s\n", argv[0], xstrerror()); + exit(1); + } #endif nas_ipaddr = ntohl(salocal.sin_addr.s_addr); while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) { diff -u -r -N squid-3.2.3/helpers/basic_auth/SMB/basic_smb_auth.cc squid-3.2.4/helpers/basic_auth/SMB/basic_smb_auth.cc --- squid-3.2.3/helpers/basic_auth/SMB/basic_smb_auth.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/helpers/basic_auth/SMB/basic_smb_auth.cc 2012-12-02 22:23:10.000000000 +1300 @@ -82,8 +82,12 @@ char *t; int i = 0; - for (t = s; *t != '\0'; t++) { - if (i > HELPER_INPUT_BUFFER-2) { + for (t = s; *t != '\0'; ++t) { + /* + * NP: The shell escaping permits 'i' to jump up to 2 octets per loop, + * so ensure we have at least 3 free. + */ + if (i > HELPER_INPUT_BUFFER-3) { buf[i] = '\0'; (void) fputs(buf, p); i = 0; diff -u -r -N squid-3.2.3/helpers/digest_auth/eDirectory/ldap_backend.cc squid-3.2.4/helpers/digest_auth/eDirectory/ldap_backend.cc --- squid-3.2.3/helpers/digest_auth/eDirectory/ldap_backend.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/helpers/digest_auth/eDirectory/ldap_backend.cc 2012-12-02 22:23:10.000000000 +1300 @@ -286,7 +286,8 @@ value = values; while (*value) { if (encrpass) { - if (strcmp(strtok(*value, delimiter), realm) == 0) { + const char *t = strtok(*value, delimiter); + if (t && strcmp(t, realm) == 0) { password = strtok(NULL, delimiter); break; } diff -u -r -N squid-3.2.3/helpers/digest_auth/file/text_backend.cc squid-3.2.4/helpers/digest_auth/file/text_backend.cc --- squid-3.2.3/helpers/digest_auth/file/text_backend.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/helpers/digest_auth/file/text_backend.cc 2012-12-02 22:23:10.000000000 +1300 @@ -29,9 +29,12 @@ * Copyright (c) 2003 Robert Collins */ #include "squid.h" - #include "text_backend.h" +#if HAVE_ERRNO_H +#include +#endif + static hash_table *hash = NULL; static HASHFREE my_free; static char *passwdfile = NULL; @@ -56,7 +59,6 @@ static void read_passwd_file(const char *passwordFile, int isHa1Mode) { - FILE *f; char buf[8192]; user_data *u; char *user; @@ -73,12 +75,22 @@ fprintf(stderr, "digest_file_auth: cannot create hash table\n"); exit(1); } - f = fopen(passwordFile, "r"); - while (fgets(buf, 8192, f) != NULL) { + FILE *f = fopen(passwordFile, "r"); + if (!f) { + fprintf(stderr, "digest_file_auth: cannot open password file: %s\n", xstrerror()); + exit(1); + } + unsigned int lineCount = 0; + while (fgets(buf, sizeof(buf), f) != NULL) { + ++lineCount; if ((buf[0] == '#') || (buf[0] == ' ') || (buf[0] == '\t') || (buf[0] == '\n')) continue; user = strtok(buf, ":\n"); + if (!user) { + fprintf(stderr, "digest_file_auth: missing user name at line %u in '%s'\n", lineCount, passwordFile); + continue; + } realm = strtok(NULL, ":\n"); passwd = strtok(NULL, ":\n"); if (!passwd) { diff -u -r -N squid-3.2.3/helpers/digest_auth/LDAP/ldap_backend.cc squid-3.2.4/helpers/digest_auth/LDAP/ldap_backend.cc --- squid-3.2.3/helpers/digest_auth/LDAP/ldap_backend.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/helpers/digest_auth/LDAP/ldap_backend.cc 2012-12-02 22:23:10.000000000 +1300 @@ -263,7 +263,8 @@ value = values; while (*value) { if (encrpass) { - if (strcmp(strtok(*value, delimiter), realm) == 0) { + const char *t = strtok(*value, delimiter); + if (t && strcmp(t, realm) == 0) { password = strtok(NULL, delimiter); break; } diff -u -r -N squid-3.2.3/helpers/external_acl/file_userip/ext_file_userip_acl.cc squid-3.2.4/helpers/external_acl/file_userip/ext_file_userip_acl.cc --- squid-3.2.3/helpers/external_acl/file_userip/ext_file_userip_acl.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/helpers/external_acl/file_userip/ext_file_userip_acl.cc 2012-12-02 22:23:10.000000000 +1300 @@ -76,9 +76,6 @@ linked list */ char line[DICT_BUFFER_SIZE]; /* the buffer for the lines read from the dict file */ - char *cp; /* a char pointer used to parse - each line */ - char *username; /* for the username */ char *tmpbuf; /* for the address before the bitwise AND */ @@ -86,17 +83,28 @@ first_entry = (struct ip_user_dict*)malloc(sizeof(struct ip_user_dict)); current_entry = first_entry; - while ((cp = fgets (line, DICT_BUFFER_SIZE, FH)) != NULL) { + unsigned int lineCount = 0; + while (fgets(line, sizeof(line), FH) != NULL) { + ++lineCount; if (line[0] == '#') { continue; } + + char *cp; // a char pointer used to parse each line. if ((cp = strchr (line, '\n')) != NULL) { /* chop \n characters */ *cp = '\0'; } - if ((cp = strtok (line, "\t ")) != NULL) { + if (strtok(line, "\t ") != NULL) { + // NP: line begins with IP/mask. Skipped to the end of it with this strtok() + /* get the username */ - username = strtok (NULL, "\t "); + char *username; + if ((username = strtok(NULL, "\t ")) == NULL) { + debug("Missing username on line %u of dictionary file\n", lineCount); + continue; + } + /* look for a netmask */ if ((cp = strtok (line, "/")) != NULL) { /* store the ip address in a temporary buffer */ @@ -210,7 +218,6 @@ int main (int argc, char *argv[]) { - FILE *FH; char *filename = NULL; char *program_name = argv[0]; char *cp; @@ -242,7 +249,11 @@ usage(program_name); exit(1); } - FH = fopen(filename, "r"); + FILE *FH = fopen(filename, "r"); + if (!FH) { + fprintf(stderr, "%s: FATAL: Unable to open file '%s': %s", program_name, filename, xstrerror()); + exit(1); + } current_entry = load_dict(FH); while (fgets(line, HELPER_INPUT_BUFFER, stdin)) { diff -u -r -N squid-3.2.3/helpers/external_acl/LM_group/ext_lm_group_acl.cc squid-3.2.4/helpers/external_acl/LM_group/ext_lm_group_acl.cc --- squid-3.2.3/helpers/external_acl/LM_group/ext_lm_group_acl.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/helpers/external_acl/LM_group/ext_lm_group_acl.cc 2012-12-02 22:23:10.000000000 +1300 @@ -69,7 +69,8 @@ #include "squid.h" #include "helpers/defines.h" -#include "include/util.h" +#include "rfc1738.h" +#include "util.h" #if _SQUID_CYGWIN_ diff -u -r -N squid-3.2.3/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.2.4/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-3.2.3/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2012-10-21 01:58:59.000000000 +1300 +++ squid-3.2.4/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2012-12-02 22:40:53.000000000 +1300 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL.PL.IN 1" -.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2012-10-20" "perl v5.10.1" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2012-12-02" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.2.3/helpers/log_daemon/file/log_file_daemon.cc squid-3.2.4/helpers/log_daemon/file/log_file_daemon.cc --- squid-3.2.3/helpers/log_daemon/file/log_file_daemon.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/helpers/log_daemon/file/log_file_daemon.cc 2012-12-02 22:23:10.000000000 +1300 @@ -57,16 +57,24 @@ snprintf(from, MAXPATHLEN, "%s.%d", path, i - 1); snprintf(to, MAXPATHLEN, "%s.%d", path, i); #if _SQUID_OS2_ || _SQUID_WINDOWS_ - remove(to); + if (remove(to) < 0) { + fprintf(stderr, "WARNING: remove '%s' failure: %s\n", to, xstrerror()); + } #endif - rename(from, to); + if (rename(path, to) < 0 && errno != ENOENT) { + fprintf(stderr, "WARNING: rename '%s' to '%s' failure: %s\n", path, to, xstrerror()); + } } if (rotate_count > 0) { snprintf(to, MAXPATHLEN, "%s.%d", path, 0); #if _SQUID_OS2_ || _SQUID_WINDOWS_ - remove(to); + if (remove(to) < 0) { + fprintf(stderr, "WARNING: remove '%s' failure: %s\n", to, xstrerror()); + } #endif - rename(path, to); + if (rename(path, to) < 0 && errno != ENOENT) { + fprintf(stderr, "WARNING: rename %s to %s failure: %s\n", path, to, xstrerror()); + } } } @@ -119,7 +127,7 @@ * out of device space - recover by rotating and hoping that rotation count drops a big one. */ if (err == EFBIG || err == ENOSPC) { - fprintf(stderr, "WARNING: %s writing %s. Attempting to recover via a log rotation.\n",strerror(err),argv[1]); + fprintf(stderr, "WARNING: %s writing %s. Attempting to recover via a log rotation.\n",xstrerr(err),argv[1]); fclose(fp); rotate(argv[1], rotate_count); fp = fopen(argv[1], "a"); diff -u -r -N squid-3.2.3/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc squid-3.2.4/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc --- squid-3.2.3/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc 2012-12-02 22:23:10.000000000 +1300 @@ -119,7 +119,7 @@ struct addrinfo *hres = NULL, *hres_list; int rc, count; - rc = gethostname(hostname, sysconf(_SC_HOST_NAME_MAX)); + rc = gethostname(hostname, sizeof(hostname)-1); if (rc) { fprintf(stderr, "%s| %s: ERROR: resolving hostname '%s' failed\n", LogTime(), PROGRAM, hostname); @@ -148,7 +148,7 @@ return NULL; } freeaddrinfo(hres); - hostname[sysconf(_SC_HOST_NAME_MAX) - 1] = '\0'; + hostname[sizeof(hostname)-1] = '\0'; return (xstrdup(hostname)); } diff -u -r -N squid-3.2.3/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc squid-3.2.4/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc --- squid-3.2.3/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc 2012-12-02 22:23:10.000000000 +1300 @@ -213,14 +213,13 @@ int main(int argc, char *argv[]) { - const char *Token; int count; if (argc < 2) { fprintf(stderr, "%s| %s: Error: No proxy server name given\n", LogTime(), PROGRAM); - exit(99); + return 99; } if (argc == 3) { count = atoi(argv[2]); @@ -235,7 +234,7 @@ fprintf(stdout, "Token: %s\n", Token ? Token : "NULL"); } - exit(0); + return 0; } #else @@ -243,7 +242,7 @@ int main(int argc, char *argv[]) { - exit(-1); + return -1; } #endif /* HAVE_GSSAPI */ diff -u -r -N squid-3.2.3/helpers/ntlm_auth/fake/ntlm_fake_auth.cc squid-3.2.4/helpers/ntlm_auth/fake/ntlm_fake_auth.cc --- squid-3.2.3/helpers/ntlm_auth/fake/ntlm_fake_auth.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/helpers/ntlm_auth/fake/ntlm_fake_auth.cc 2012-12-02 22:23:10.000000000 +1300 @@ -86,14 +86,14 @@ #endif /* A couple of harmless helper macros */ -#define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n"); +#define SEND(X) {debug("sending '%s' to squid\n",X); printf(X "\n");} #ifdef __GNUC__ -#define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); -#define SEND4(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); +#define SEND2(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);} +#define SEND4(X,Y...) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);} #else /* no gcc, no debugging. varargs macros are a gcc extension */ -#define SEND2(X,Y) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); -#define SEND4(X,Y,Z,W) debug("sending '" X "' to squid\n",Y,Z,W); printf(X "\n",Y,Z,W); +#define SEND2(X,Y) {debug("sending '" X "' to squid\n",Y); printf(X "\n",Y);} +#define SEND4(X,Y,Z,W) {debug("sending '" X "' to squid\n",Y,Z,W); printf(X "\n",Y,Z,W);} #endif const char *authenticate_ntlm_domain = "WORKGROUP"; diff -u -r -N squid-3.2.3/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc squid-3.2.4/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc --- squid-3.2.3/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc 2012-12-02 22:23:10.000000000 +1300 @@ -191,8 +191,11 @@ { /* trying to circumvent some strange problem wih pointers in SMBLib */ /* Ugly as hell, but the lib is going to be dropped... */ - strcpy(my_domain,domain); - strcpy(my_domain_controller,domain_controller); + strncpy(my_domain, domain, sizeof(my_domain)-1); + my_domain[sizeof(my_domain)-1] = '\0'; + strncpy(my_domain_controller, domain_controller, sizeof(my_domain_controller)-1); + my_domain_controller[sizeof(my_domain_controller)-1] = '\0'; + if (init_challenge(my_domain, my_domain_controller) > 0) { return NULL; } diff -u -r -N squid-3.2.3/include/MemPoolChunked.h squid-3.2.4/include/MemPoolChunked.h --- squid-3.2.3/include/MemPoolChunked.h 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/include/MemPoolChunked.h 2012-12-02 22:23:10.000000000 +1300 @@ -56,7 +56,6 @@ size_t chunk_size; int chunk_capacity; - int memPID; int chunkCount; void *freeCache; MemChunk *nextFreeChunk; diff -u -r -N squid-3.2.3/include/version.h squid-3.2.4/include/version.h --- squid-3.2.3/include/version.h 2012-10-21 01:40:38.000000000 +1300 +++ squid-3.2.4/include/version.h 2012-12-02 22:24:01.000000000 +1300 @@ -9,7 +9,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1350736787 +#define SQUID_RELEASE_TIME 1354440188 #endif #ifndef APP_SHORTNAME diff -u -r -N squid-3.2.3/lib/rfcnb/rfcnb-util.c squid-3.2.4/lib/rfcnb/rfcnb-util.c --- squid-3.2.3/lib/rfcnb/rfcnb-util.c 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/lib/rfcnb/rfcnb-util.c 2012-12-02 22:23:10.000000000 +1300 @@ -425,6 +425,7 @@ char resp[16]; int len; struct RFCNB_Pkt *pkt, res_pkt; + int result = 0; /* We build and send the session request, then read the response */ @@ -450,7 +451,7 @@ #endif if ((len = RFCNB_Put_Pkt(con, pkt, RFCNB_Pkt_Sess_Len)) < 0) { - + RFCNB_Free_Pkt(pkt); return (RFCNBE_Bad); /* Should be able to write that lot ... */ } @@ -463,7 +464,7 @@ res_pkt.next = NULL; if ((len = RFCNB_Get_Pkt(con, &res_pkt, sizeof(resp))) < 0) { - + RFCNB_Free_Pkt(pkt); return (RFCNBE_Bad); } @@ -497,12 +498,12 @@ break; } - return (RFCNBE_Bad); + result = (RFCNBE_Bad); break; case RFCNB_SESSION_ACK: /* Got what we wanted ... */ - return (0); + result = (0); break; case RFCNB_SESSION_RETARGET: /* Go elsewhere */ @@ -512,13 +513,16 @@ memcpy(Dest_IP, (resp + RFCNB_Pkt_IP_Offset), sizeof(struct in_addr)); *port = SVAL(resp, RFCNB_Pkt_Port_Offset); - return (0); + result = (0); break; default: /* A protocol error */ RFCNB_errno = RFCNBE_ProtErr; - return (RFCNBE_Bad); + result = (RFCNBE_Bad); break; } + + RFCNB_Free_Pkt(pkt); + return result; } diff -u -r -N squid-3.2.3/RELEASENOTES.html squid-3.2.4/RELEASENOTES.html --- squid-3.2.3/RELEASENOTES.html 2012-10-21 01:59:04.000000000 +1300 +++ squid-3.2.4/RELEASENOTES.html 2012-12-02 22:41:00.000000000 +1300 @@ -2,10 +2,10 @@ - Squid 3.2.2 release notes + Squid 3.2.4 release notes -

Squid 3.2.2 release notes

+

Squid 3.2.4 release notes

Squid Developers

@@ -72,7 +72,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.2.2 for testing.

+

The Squid Team are pleased to announce the release of Squid-3.2.4 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.2/ or the mirrors.

@@ -535,9 +535,10 @@

The cache manager is available under the path prefix /squid-internal-mgr/. For example the URL http://example/com/squid-internal-mgr/menu will bring up the manager menu. This means there are some configuration changes required to lock down manager access. -The manager ACL needs changing to: +The manager ACL needs changing. A built-in definition is now used, equivalent +to the following regex pattern: 

-        acl manager url_regex -i ^cache_object:// ^https?://[^/]+/squid-internal-mgr/
+        ^(cache_object://|https?://[^/]+/squid-internal-mgr/)

@@ -547,6 +548,14 @@ cache manager applications as their front page embedding all scripts, accessors or redirects required for their initial GUI display.

+

MGR_INDEX file +

    +
  • should contain a complete HTML page, with optional client-side scripting.
    • +
  • must not contain server-side scripting.
    • +
  • will have macro substitution performed on it using the same macros as used by the error page tempates.
    • +
+

+

Version 3.2 of the CGI cache manager tool now presents XHR scripted probes to detect proxies presenting these manager index pagess and provides direct HTTP/HTTPS web links to those managers.

@@ -724,15 +733,18 @@

New type random. Pseudo-randomly match requests based on a configured probability.

Renamed myip to localip. It matches the IP which the client connected to.

Renamed myport to localport. It matches the port which the client connected to.

+

Ported urllogin option from Squid 2.7, to match a regex pattern on the URL login field (if any).

The localip/localport differ from earlier releases where they matched a mix of of an invalid IP and port 0, the client destination IP/port or the Squid listening IP/port. This definition is now consistent across all modes of traffic received by Squid.

-

The manager ACL requires adjustment to cover new cache manager access: +

The manager ACL requires adjustment to cover new cache manager access. So it has now been +built-in as a predefined ACL name matching URLs equivalent to the following regular expression: 

-                acl manager url_regex -i ^cache_object:// ^https?://[^/]+/squid-internal-mgr/
+                ^(cache_object://|https?://[^/]+/squid-internal-mgr/)
-

+ +squid.conf containing the old manager definition can expect to see ACL type collisions.

auth_param

New options for Basic, Digest, NTLM, Negotiate children settings. @@ -829,6 +841,8 @@

refresh_pattern

New option max-stale= to provide a maximum staleness factor. Squid won't serve objects more stale than this even if it failed to validate the object.

+

Removed option ignore-no-cache. Its commonly desired behaviour is obsoleted +by correct HTTP/1.1 Cache-Control:no-cache handling.

reply_header_access

Added support for custom response header names.

@@ -1192,10 +1206,6 @@

-
acl
-

urllogin option not yet ported from 2.6

-

urlgroup option not yet ported from 2.6

-
broken_vary_encoding

Not yet ported from 2.6

diff -u -r -N squid-3.2.3/src/AccessLogEntry.cc squid-3.2.4/src/AccessLogEntry.cc --- squid-3.2.3/src/AccessLogEntry.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/AccessLogEntry.cc 2012-12-02 22:23:10.000000000 +1300 @@ -13,7 +13,7 @@ if (tcpClient != NULL) tcpClient->remote.NtoA(buf, bufsz); else if (cache.caddr.IsNoAddr()) // e.g., ICAP OPTIONS lack client - strncpy(buf, "-", 1); + strncpy(buf, "-", bufsz); else cache.caddr.NtoA(buf, bufsz); } diff -u -r -N squid-3.2.3/src/acl/Makefile.am squid-3.2.4/src/acl/Makefile.am --- squid-3.2.3/src/acl/Makefile.am 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/acl/Makefile.am 2012-12-02 22:23:10.000000000 +1300 @@ -98,6 +98,8 @@ Tag.h \ Url.cc \ Url.h \ + UrlLogin.cc \ + UrlLogin.h \ UrlPath.cc \ UrlPath.h \ UrlPort.cc \ diff -u -r -N squid-3.2.3/src/acl/Makefile.in squid-3.2.4/src/acl/Makefile.in --- squid-3.2.3/src/acl/Makefile.in 2012-10-21 01:40:18.000000000 +1300 +++ squid-3.2.4/src/acl/Makefile.in 2012-12-02 22:23:42.000000000 +1300 @@ -74,11 +74,12 @@ Referer.cc Referer.h ReplyHeaderStrategy.h ReplyMimeType.cc \ ReplyMimeType.h RequestHeaderStrategy.h RequestMimeType.cc \ RequestMimeType.h SourceAsn.h SourceDomain.cc SourceDomain.h \ - SourceIp.cc SourceIp.h Tag.cc Tag.h Url.cc Url.h UrlPath.cc \ - UrlPath.h UrlPort.cc UrlPort.h UserData.cc UserData.h \ - Gadgets.cc Gadgets.h CertificateData.cc CertificateData.h \ - Certificate.cc Certificate.h SslError.cc SslError.h \ - SslErrorData.cc SslErrorData.h Arp.cc Arp.h Eui64.cc Eui64.h + SourceIp.cc SourceIp.h Tag.cc Tag.h Url.cc Url.h UrlLogin.cc \ + UrlLogin.h UrlPath.cc UrlPath.h UrlPort.cc UrlPort.h \ + UserData.cc UserData.h Gadgets.cc Gadgets.h CertificateData.cc \ + CertificateData.h Certificate.cc Certificate.h SslError.cc \ + SslError.h SslErrorData.cc SslErrorData.h Arp.cc Arp.h \ + Eui64.cc Eui64.h am__objects_1 = CertificateData.lo Certificate.lo SslError.lo \ SslErrorData.lo @ENABLE_SSL_TRUE@am__objects_2 = $(am__objects_1) @@ -92,8 +93,8 @@ Method.lo MethodData.lo MyIp.lo MyPort.lo MyPortName.lo \ PeerName.lo Protocol.lo ProtocolData.lo Random.lo Referer.lo \ ReplyMimeType.lo RequestMimeType.lo SourceDomain.lo \ - SourceIp.lo Tag.lo Url.lo UrlPath.lo UrlPort.lo UserData.lo \ - Gadgets.lo $(am__objects_2) $(am__objects_4) + SourceIp.lo Tag.lo Url.lo UrlLogin.lo UrlPath.lo UrlPort.lo \ + UserData.lo Gadgets.lo $(am__objects_2) $(am__objects_4) libacls_la_OBJECTS = $(am_libacls_la_OBJECTS) libapi_la_LIBADD = am_libapi_la_OBJECTS = Acl.lo Checklist.lo @@ -386,9 +387,10 @@ ReplyHeaderStrategy.h ReplyMimeType.cc ReplyMimeType.h \ RequestHeaderStrategy.h RequestMimeType.cc RequestMimeType.h \ SourceAsn.h SourceDomain.cc SourceDomain.h SourceIp.cc \ - SourceIp.h Tag.cc Tag.h Url.cc Url.h UrlPath.cc UrlPath.h \ - UrlPort.cc UrlPort.h UserData.cc UserData.h Gadgets.cc \ - Gadgets.h $(am__append_2) $(am__append_3) + SourceIp.h Tag.cc Tag.h Url.cc Url.h UrlLogin.cc UrlLogin.h \ + UrlPath.cc UrlPath.h UrlPort.cc UrlPort.h UserData.cc \ + UserData.h Gadgets.cc Gadgets.h $(am__append_2) \ + $(am__append_3) EXTRA_libacls_la_SOURCES = $(SSL_ACLS) $(ARP_ACLS) SSL_ACLS = \ CertificateData.cc \ @@ -512,6 +514,7 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/Time.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/TimeData.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/Url.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/UrlLogin.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/UrlPath.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/UrlPort.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/UserData.Plo@am__quote@ diff -u -r -N squid-3.2.3/src/acl/UrlLogin.cc squid-3.2.4/src/acl/UrlLogin.cc --- squid-3.2.3/src/acl/UrlLogin.cc 1970-01-01 12:00:00.000000000 +1200 +++ squid-3.2.4/src/acl/UrlLogin.cc 2012-12-02 22:23:10.000000000 +1300 @@ -0,0 +1,56 @@ +/* + * DEBUG: section 28 Access Control + * AUTHOR: Duane Wessels + * + * SQUID Web Proxy Cache http://www.squid-cache.org/ + * ---------------------------------------------------------- + * + * Squid is the result of efforts by numerous individuals from + * the Internet community; see the CONTRIBUTORS file for full + * details. Many organizations have provided support for Squid's + * development; see the SPONSORS file for full details. Squid is + * Copyrighted (C) 2001 by the Regents of the University of + * California; see the COPYRIGHT file for full details. Squid + * incorporates software developed and/or copyrighted by other + * sources; see the CREDITS file for full details. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + * + */ + +#include "squid.h" +#include "acl/UrlLogin.h" +#include "acl/Checklist.h" +#include "acl/RegexData.h" +#include "HttpRequest.h" +#include "rfc1738.h" + +int +ACLUrlLoginStrategy::match (ACLData * &data, ACLFilledChecklist *checklist) +{ + char *esc_buf = xstrdup(checklist->request->login); + rfc1738_unescape(esc_buf); + int result = data->match(esc_buf); + safe_free(esc_buf); + return result; +} + +ACLUrlLoginStrategy * +ACLUrlLoginStrategy::Instance() +{ + return &Instance_; +} + +ACLUrlLoginStrategy ACLUrlLoginStrategy::Instance_; diff -u -r -N squid-3.2.3/src/acl/UrlLogin.h squid-3.2.4/src/acl/UrlLogin.h --- squid-3.2.3/src/acl/UrlLogin.h 1970-01-01 12:00:00.000000000 +1200 +++ squid-3.2.4/src/acl/UrlLogin.h 2012-12-02 22:23:10.000000000 +1300 @@ -0,0 +1,73 @@ + +/* + * $Id$ + * + * + * SQUID Web Proxy Cache http://www.squid-cache.org/ + * ---------------------------------------------------------- + * + * Squid is the result of efforts by numerous individuals from + * the Internet community; see the CONTRIBUTORS file for full + * details. Many organizations have provided support for Squid's + * development; see the SPONSORS file for full details. Squid is + * Copyrighted (C) 2001 by the Regents of the University of + * California; see the COPYRIGHT file for full details. Squid + * incorporates software developed and/or copyrighted by other + * sources; see the CREDITS file for full details. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + * + * + * Copyright (c) 2003, Robert Collins + */ + +#ifndef SQUID_ACLURLLOGIN_H +#define SQUID_ACLURLLOGIN_H + +#include "acl/Acl.h" +#include "acl/Data.h" +#include "acl/Strategy.h" +#include "acl/Strategised.h" + +class ACLUrlLoginStrategy : public ACLStrategy +{ + +public: + virtual int match (ACLData * &, ACLFilledChecklist *); + virtual bool requiresRequest() const {return true;} + + static ACLUrlLoginStrategy *Instance(); + /* Not implemented to prevent copies of the instance. */ + /* Not private to prevent brain dead g+++ warnings about + * private constructors with no friends */ + ACLUrlLoginStrategy(ACLUrlLoginStrategy const &); + +private: + static ACLUrlLoginStrategy Instance_; + ACLUrlLoginStrategy() {} + + ACLUrlLoginStrategy&operator=(ACLUrlLoginStrategy const &); +}; + +class ACLUrlLogin +{ + +public: + static ACL::Prototype RegistryProtoype; + static ACL::Prototype LegacyRegistryProtoype; + static ACLStrategised RegistryEntry_; +}; + +#endif /* SQUID_ACLURLLOGIN_H */ diff -u -r -N squid-3.2.3/src/AclRegs.cc squid-3.2.4/src/AclRegs.cc --- squid-3.2.3/src/AclRegs.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/AclRegs.cc 2012-12-02 22:23:10.000000000 +1300 @@ -63,6 +63,7 @@ #include "acl/TimeData.h" #include "acl/Time.h" #include "acl/Url.h" +#include "acl/UrlLogin.h" #include "acl/UrlPath.h" #include "acl/UrlPort.h" #include "acl/UserData.h" @@ -129,6 +130,8 @@ ACLStrategised ACLTime::RegistryEntry_(new ACLTimeData, ACLTimeStrategy::Instance(), "time"); ACL::Prototype ACLUrl::RegistryProtoype(&ACLUrl::RegistryEntry_, "url_regex"); ACLStrategised ACLUrl::RegistryEntry_(new ACLRegexData, ACLUrlStrategy::Instance(), "url_regex"); +ACL::Prototype ACLUrlLogin::RegistryProtoype(&ACLUrlLogin::RegistryEntry_, "urllogin"); +ACLStrategised ACLUrlLogin::RegistryEntry_(new ACLRegexData, ACLUrlLoginStrategy::Instance(), "urllogin"); ACL::Prototype ACLUrlPath::LegacyRegistryProtoype(&ACLUrlPath::RegistryEntry_, "pattern"); ACL::Prototype ACLUrlPath::RegistryProtoype(&ACLUrlPath::RegistryEntry_, "urlpath_regex"); ACLStrategised ACLUrlPath::RegistryEntry_(new ACLRegexData, ACLUrlPathStrategy::Instance(), "urlpath_regex"); diff -u -r -N squid-3.2.3/src/adaptation/icap/Options.cc squid-3.2.4/src/adaptation/icap/Options.cc --- squid-3.2.3/src/adaptation/icap/Options.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/adaptation/icap/Options.cc 2012-12-02 22:23:10.000000000 +1300 @@ -205,8 +205,11 @@ while (strListGetItem(&buf, ',', &item, &ilen, &pos)) { if (ilen == 1 && *item == '*') foundStar = true; - else - add(xstrndup(item, ilen+1)); + else { + const char *tmp = xstrndup(item, ilen+1); + add(tmp); + xfree(tmp); + } } } diff -u -r -N squid-3.2.3/src/adaptation/icap/Xaction.cc squid-3.2.4/src/adaptation/icap/Xaction.cc --- squid-3.2.3/src/adaptation/icap/Xaction.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/adaptation/icap/Xaction.cc 2012-12-02 22:23:10.000000000 +1300 @@ -42,7 +42,8 @@ ignoreLastWrite(false), connector(NULL), reader(NULL), writer(NULL), closer(NULL), alep(new AccessLogEntry), - al(*alep) + al(*alep), + cs(NULL) { debugs(93,3, typeName << " constructed, this=" << this << " [icapx" << id << ']'); // we should not call virtual status() here @@ -167,7 +168,7 @@ // TODO: service bypass status may differ from that of a transaction typedef CommCbMemFunT ConnectDialer; connector = JobCallback(93,3, ConnectDialer, this, Adaptation::Icap::Xaction::noteCommConnected); - Comm::ConnOpener *cs = new Comm::ConnOpener(connection, connector, TheConfig.connect_timeout(service().cfg().bypass)); + cs = new Comm::ConnOpener(connection, connector, TheConfig.connect_timeout(service().cfg().bypass)); cs->setHost(s.cfg().host.termedBuf()); AsyncJob::Start(cs); } @@ -222,6 +223,8 @@ // connection with the ICAP service established void Adaptation::Icap::Xaction::noteCommConnected(const CommConnectCbParams &io) { + cs = NULL; + if (io.flag == COMM_TIMEOUT) { handleCommTimedout(); return; @@ -506,6 +509,12 @@ void Adaptation::Icap::Xaction::swanSong() { // kids should sing first and then call the parent method. + if (cs) { + debugs(93,6, HERE << id << " about to notify ConnOpener!"); + CallJobHere(93, 3, cs, Comm::ConnOpener, noteAbort); + cs = NULL; + service().noteConnectionFailed("abort"); + } closeConnection(); // TODO: rename because we do not always close diff -u -r -N squid-3.2.3/src/adaptation/icap/Xaction.h squid-3.2.4/src/adaptation/icap/Xaction.h --- squid-3.2.3/src/adaptation/icap/Xaction.h 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/adaptation/icap/Xaction.h 2012-12-02 22:23:10.000000000 +1300 @@ -44,6 +44,10 @@ #include "ipcache.h" class CommConnectCbParams; +namespace Comm +{ +class ConnOpener; +} namespace Adaptation { @@ -188,6 +192,7 @@ timeval icap_tio_finish; /*time when the last byte of the ICAP responsewas received*/ private: + Comm::ConnOpener *cs; //CBDATA_CLASS2(Xaction); }; diff -u -r -N squid-3.2.3/src/base/TextException.cc squid-3.2.4/src/base/TextException.cc --- squid-3.2.3/src/base/TextException.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/base/TextException.cc 2012-12-02 22:23:10.000000000 +1300 @@ -17,7 +17,7 @@ } TextException::TextException(const char *aMsg, const char *aFileName, int aLineNo, unsigned int anId): - message(xstrdup(aMsg)), theFileName(aFileName), theLineNo(aLineNo), theId(anId) + message(aMsg?xstrdup(aMsg):NULL), theFileName(aFileName), theLineNo(aLineNo), theId(anId) {} TextException::~TextException() throw() diff -u -r -N squid-3.2.3/src/cache_cf.cc squid-3.2.4/src/cache_cf.cc --- squid-3.2.3/src/cache_cf.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/cache_cf.cc 2012-12-02 22:23:10.000000000 +1300 @@ -540,6 +540,7 @@ cfg_filename = orig_cfg_filename; config_lineno = orig_config_lineno; + xfree(tmp_line); return err_count; } diff -u -r -N squid-3.2.3/src/cf.data.pre squid-3.2.4/src/cf.data.pre --- squid-3.2.3/src/cf.data.pre 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/cf.data.pre 2012-12-02 22:23:10.000000000 +1300 @@ -747,6 +747,8 @@ acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL [fast] + acl aclname urllogin [-i] [^a-zA-Z0-9] ... + # regex matching on URL login field acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path [fast] diff -u -r -N squid-3.2.3/src/cf_gen.cc squid-3.2.4/src/cf_gen.cc --- squid-3.2.3/src/cf_gen.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/cf_gen.cc 2012-12-02 22:23:10.000000000 +1300 @@ -151,6 +151,7 @@ static void gen_free(const EntryList &, std::ostream&); static void gen_conf(const EntryList &, std::ostream&, bool verbose_output); static void gen_default_if_none(const EntryList &, std::ostream&); +static const char *available_if(const std::string &name); static void checkDepend(const std::string &directive, const char *name, const TypeList &types, const EntryList &entries) @@ -520,7 +521,9 @@ { fout << "static void" << std::endl << "defaults_if_none(void)" << std::endl << - "{" << std::endl; + "{" << std::endl << + " cfg_filename = \"Default Configuration (if absent)\";" << std::endl << + " config_lineno = 0;" << std::endl; for (EntryList::const_iterator entry = head.begin(); entry != head.end(); ++entry) { assert(entry->name.size()); @@ -548,13 +551,16 @@ fout << "#endif" << std::endl; } - fout << "}" << std::endl << std::endl; + fout << " cfg_filename = NULL;" << std::endl << + "}" << std::endl << std::endl; } void Entry::genParseAlias(const std::string &aName, std::ostream &fout) const { fout << " if (!strcmp(token, \"" << aName << "\")) {" << std::endl; + if (ifdef.size()) + fout << "#if " << ifdef << std::endl; fout << " "; if (type.compare("obsolete") == 0) { fout << "debugs(0, DBG_CRITICAL, \"ERROR: Directive '" << aName << "' is obsolete.\");\n"; @@ -569,6 +575,12 @@ fout << "parse_" << type << "(&" << loc << (array_flag ? "[0]" : "") << ");"; } fout << std::endl; + if (ifdef.size()) { + fout << + "#else" << std::endl << + " debugs(0, DBG_PARSE_NOTE(DBG_IMPORTANT), \"ERROR: '" << name << "' requires " << available_if(ifdef) << "\");" << std::endl << + "#endif" << std::endl; + } fout << " return 1;" << std::endl; fout << " };" << std::endl; } @@ -579,9 +591,6 @@ if (name.compare("comment") == 0) return; - if (ifdef.size()) - fout << "#if " << ifdef << std::endl; - // Once for the current directive name genParseAlias(name, fout); @@ -589,9 +598,6 @@ for (EntryAliasList::const_iterator a = alias.begin(); a != alias.end(); ++a) { genParseAlias(*a, fout); } - - if (ifdef.size()) - fout << "#endif\n"; } static void diff -u -r -N squid-3.2.3/src/cf_gen_defines squid-3.2.4/src/cf_gen_defines --- squid-3.2.3/src/cf_gen_defines 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/cf_gen_defines 2012-12-02 22:23:10.000000000 +1300 @@ -14,6 +14,7 @@ define["ICAP_CLIENT"]="--enable-icap-client" define["SQUID_SNMP"]="--enable-snmp" define["USE_ADAPTATION"]="--enable-ecap or --enable-icap-client" + define["USE_AUTH"]="--enable-auth" define["USE_CACHE_DIGESTS"]="--enable-cache-digests" define["USE_DNSHELPER"]="--disable-internal-dns" define["!USE_DNSHELPER"]="--enable-internal-dns" @@ -24,6 +25,8 @@ define["USE_IDENT"]="--enable-ident-lookups" define["USE_LOADABLE_MODULES"]="--enable-loadable-modules" define["USE_SQUID_ESI"]="--enable-esi" + define["USE_SQUID_EUI"]="--enable-eui" + define["USE_SSL_CRTD"]="--enable-ssl-crtd" define["USE_SSL"]="--enable-ssl" define["USE_UNLINKD"]="--enable-unlinkd" define["USE_WCCP"]="--enable-wccp" @@ -34,8 +37,8 @@ } /^IFDEF:/ { if (define[$2] != "") - DEFINE=define[$2] " option" - else + DEFINE=define[$2] + else DEFINE="-D" $2 " define" print "{\"" $2 "\", \"" DEFINE "\", " print "#if " $2 diff -u -r -N squid-3.2.3/src/client_side.cc squid-3.2.4/src/client_side.cc --- squid-3.2.3/src/client_side.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/client_side.cc 2012-12-02 22:23:10.000000000 +1300 @@ -4085,16 +4085,21 @@ void ConnStateData::unpinConnection() { + debugs(33, 3, HERE << pinning.serverConnection); + if (pinning.peer) cbdataReferenceDone(pinning.peer); - if (pinning.closeHandler != NULL) { - comm_remove_close_handler(pinning.serverConnection->fd, pinning.closeHandler); - pinning.closeHandler = NULL; - } - /// also close the server side socket, we should not use it for any future requests... - if (Comm::IsConnOpen(pinning.serverConnection)) + if (Comm::IsConnOpen(pinning.serverConnection)) { + if (pinning.closeHandler != NULL) { + comm_remove_close_handler(pinning.serverConnection->fd, pinning.closeHandler); + } + /// also close the server side socket, we should not use it for any future requests... + // TODO: do not close if called from our close handler? pinning.serverConnection->close(); + } + pinning.closeHandler = NULL; // ensure it is unset regardless of the above conditionals + safe_free(pinning.host); /* NOTE: pinning.pinned should be kept. This combined with fd == -1 at the end of a request indicates that the host diff -u -r -N squid-3.2.3/src/client_side_reply.cc squid-3.2.4/src/client_side_reply.cc --- squid-3.2.3/src/client_side_reply.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/client_side_reply.cc 2012-12-02 22:23:10.000000000 +1300 @@ -1347,7 +1347,7 @@ else if (http->storeEntry()->timestamp > 0) hdr->insertTime(HDR_DATE, http->storeEntry()->timestamp); else { - debugs(88,DBG_IMPORTANT,"WARNING: An error inside Squid has caused an HTTP reply without Date:. Please report this:"); + debugs(88,DBG_IMPORTANT,"BUG 3279: HTTP reply without Date:"); /* dump something useful about the problem */ http->storeEntry()->dump(DBG_IMPORTANT); } diff -u -r -N squid-3.2.3/src/comm/Connection.cc squid-3.2.4/src/comm/Connection.cc --- squid-3.2.3/src/comm/Connection.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/comm/Connection.cc 2012-12-02 22:23:10.000000000 +1300 @@ -27,8 +27,8 @@ Comm::Connection::~Connection() { if (fd >= 0) { - debugs(5, 0, "BUG: Orphan Comm::Connection: " << *this); - debugs(5, 0, "NOTE: " << ++lost_conn << " Orphans since last started."); + debugs(5, DBG_CRITICAL, "BUG #3329: Orphan Comm::Connection: " << *this); + debugs(5, DBG_CRITICAL, "NOTE: " << ++lost_conn << " Orphans since last started."); close(); } diff -u -r -N squid-3.2.3/src/comm/ConnOpener.h squid-3.2.4/src/comm/ConnOpener.h --- squid-3.2.3/src/comm/ConnOpener.h 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/comm/ConnOpener.h 2012-12-02 22:23:10.000000000 +1300 @@ -21,6 +21,8 @@ virtual void swanSong(); public: + void noteAbort() { mustStop("externally aborted"); } + typedef CbcPointer Pointer; virtual bool doneAll() const; diff -u -r -N squid-3.2.3/src/comm/TcpAcceptor.cc squid-3.2.4/src/comm/TcpAcceptor.cc --- squid-3.2.3/src/comm/TcpAcceptor.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/comm/TcpAcceptor.cc 2012-12-02 22:23:10.000000000 +1300 @@ -46,10 +46,12 @@ #include "SquidTime.h" #include "StatCounters.h" -namespace Comm -{ -CBDATA_CLASS_INIT(TcpAcceptor); -}; +#ifdef HAVE_NETINET_TCP_H +// required for accept_filter to build. +#include +#endif + +CBDATA_NAMESPACED_CLASS_INIT(Comm, TcpAcceptor); Comm::TcpAcceptor::TcpAcceptor(const Comm::ConnectionPointer &newConn, const char *note, const Subscription::Pointer &aSub) : AsyncJob("Comm::TcpAcceptor"), diff -u -r -N squid-3.2.3/src/comm.cc squid-3.2.4/src/comm.cc --- squid-3.2.3/src/comm.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/comm.cc 2012-12-02 22:23:10.000000000 +1300 @@ -221,7 +221,7 @@ bool comm_monitors_read(int fd) { - assert(isOpen(fd)); + assert(isOpen(fd) && COMMIO_FD_READCB(fd)); // Being active is usually the same as monitoring because we always // start monitoring the FD when we configure Comm::IoCallback for I/O // and we usually configure Comm::IoCallback for I/O when we starting @@ -352,7 +352,7 @@ bool comm_has_incomplete_write(int fd) { - assert(isOpen(fd)); + assert(isOpen(fd) && COMMIO_FD_WRITECB(fd)); return COMMIO_FD_WRITECB(fd)->active(); } @@ -1227,7 +1227,7 @@ void comm_remove_close_handler(int fd, CLCB * handler, void *data) { - assert (isOpen(fd)); + assert(isOpen(fd)); /* Find handler in list */ debugs(5, 5, "comm_remove_close_handler: FD " << fd << ", handler=" << handler << ", data=" << data); @@ -1256,7 +1256,7 @@ void comm_remove_close_handler(int fd, AsyncCall::Pointer &call) { - assert (isOpen(fd)); + assert(isOpen(fd)); debugs(5, 5, "comm_remove_close_handler: FD " << fd << ", AsyncCall=" << call); // comm_close removes all close handlers so our handler may be gone @@ -1829,8 +1829,7 @@ commStartHalfClosedMonitor(int fd) { debugs(5, 5, HERE << "adding FD " << fd << " to " << *TheHalfClosed); - assert(isOpen(fd)); - assert(!commHasHalfClosedMonitor(fd)); + assert(isOpen(fd) && !commHasHalfClosedMonitor(fd)); (void)TheHalfClosed->add(fd); // could also assert the result commPlanHalfClosedCheck(); // may schedule check if we added the first FD } @@ -2131,7 +2130,7 @@ return -1; } - debugs(50, 3, HERE "Opened UDS FD " << new_socket << " : family=" << AI.ai_family << ", type=" << AI.ai_socktype << ", protocol=" << AI.ai_protocol); + debugs(50, 3, "Opened UDS FD " << new_socket << " : family=" << AI.ai_family << ", type=" << AI.ai_socktype << ", protocol=" << AI.ai_protocol); /* update fdstat */ debugs(50, 5, HERE << "FD " << new_socket << " is a new socket"); diff -u -r -N squid-3.2.3/src/Debug.h squid-3.2.4/src/Debug.h --- squid-3.2.3/src/Debug.h 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/Debug.h 2012-12-02 22:23:10.000000000 +1300 @@ -109,17 +109,28 @@ #define debugs(SECTION, LEVEL, CONTENT) \ do { \ if ((Debug::level = (LEVEL)) <= Debug::Levels[SECTION]) { \ - Debug::getDebugOut() << CONTENT; \ - Debug::finishDebug(); \ + std::ostream &_dbo=Debug::getDebugOut(); \ + if (Debug::level > DBG_IMPORTANT) \ + _dbo << SkipBuildPrefix(__FILE__)<<"("<<__LINE__<<") "<<__FUNCTION__<<": "; \ + _dbo << CONTENT; \ + Debug::finishDebug(); \ } \ } while (/*CONSTCOND*/ 0) -/* - * HERE is a macro that you can use like this: +/** stream manipulator which does nothing. + * \deprecated Do not add to new code, and remove when editing old code * + * Its purpose is to inactivate calls made following previous debugs() + * guidelines such as * debugs(1,2, HERE << "some message"); + * + * His former objective is now absorbed in the debugs call itself */ -#define HERE SkipBuildPrefix(__FILE__)<<"("<<__LINE__<<") "<<__FUNCTION__<<": " +inline std::ostream& +HERE(std::ostream& s) +{ + return s; +} /* * MYNAME is for use at debug levels 0 and 1 where HERE is too messy. diff -u -r -N squid-3.2.3/src/delay_pools.cc squid-3.2.4/src/delay_pools.cc --- squid-3.2.3/src/delay_pools.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/delay_pools.cc 2012-12-02 22:23:10.000000000 +1300 @@ -369,7 +369,7 @@ /* If we aren't active, don't try to update us ! */ assert (rate.restore_bps != -1); - for (unsigned char j = 0; j < individuals.size(); ++j) + for (unsigned int j = 0; j < individuals.size(); ++j) individuals.values[j].update (rate, incr); } diff -u -r -N squid-3.2.3/src/DiskIO/DiskDaemon/DiskdAction.cc squid-3.2.4/src/DiskIO/DiskDaemon/DiskdAction.cc --- squid-3.2.3/src/DiskIO/DiskDaemon/DiskdAction.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/DiskIO/DiskDaemon/DiskdAction.cc 2012-12-02 22:23:10.000000000 +1300 @@ -17,7 +17,7 @@ DiskdActionData::DiskdActionData() { - xmemset(this, 0, sizeof(*this)); + memset(this, 0, sizeof(*this)); } DiskdActionData& diff -u -r -N squid-3.2.3/src/DiskIO/DiskDaemon/DiskdIOStrategy.cc squid-3.2.4/src/DiskIO/DiskDaemon/DiskdIOStrategy.cc --- squid-3.2.3/src/DiskIO/DiskDaemon/DiskdIOStrategy.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/DiskIO/DiskDaemon/DiskdIOStrategy.cc 2012-12-02 22:23:10.000000000 +1300 @@ -405,7 +405,8 @@ } else { debugs(79, 1, "storeDiskdSend: msgsnd: " << xstrerror()); cbdataReferenceDone(M->callback_data); - assert(++send_errors < 100); + ++send_errors; + assert(send_errors < 100); if (shm_offset > -1) shm.put(shm_offset); } diff -u -r -N squid-3.2.3/src/DiskIO/DiskThreads/aiops.cc squid-3.2.4/src/DiskIO/DiskThreads/aiops.cc --- squid-3.2.3/src/DiskIO/DiskThreads/aiops.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/DiskIO/DiskThreads/aiops.cc 2012-12-02 22:23:10.000000000 +1300 @@ -308,6 +308,10 @@ done_queue.blocked = 0; + // Initialize the thread I/O pipes before creating any threads + // see bug 3189 comment 5 about race conditions. + CommIO::Initialize(); + /* Create threads and get them to sit in their wait loop */ squidaio_thread_pool = memPoolCreate("aio_thread", sizeof(squidaio_thread_t)); diff -u -r -N squid-3.2.3/src/DiskIO/DiskThreads/CommIO.cc squid-3.2.4/src/DiskIO/DiskThreads/CommIO.cc --- squid-3.2.3/src/DiskIO/DiskThreads/CommIO.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/DiskIO/DiskThreads/CommIO.cc 2012-12-02 22:23:10.000000000 +1300 @@ -38,19 +38,22 @@ #include "DiskIO/DiskThreads/CommIO.h" void -CommIO::Initialise() +CommIO::Initialize() { + if (CommIO::Initialized) + return; + /* Initialize done pipe signal */ int DonePipe[2]; if (pipe(DonePipe)) {} DoneFD = DonePipe[1]; DoneReadFD = DonePipe[0]; - fd_open(DoneReadFD, FD_PIPE, "async-io completetion event: main"); - fd_open(DoneFD, FD_PIPE, "async-io completetion event: threads"); + fd_open(DoneReadFD, FD_PIPE, "async-io completion event: main"); + fd_open(DoneFD, FD_PIPE, "async-io completion event: threads"); commSetNonBlocking(DoneReadFD); commSetNonBlocking(DoneFD); Comm::SetSelect(DoneReadFD, COMM_SELECT_READ, NULLFDHandler, NULL, 0); - Initialised = true; + Initialized = true; } void @@ -62,10 +65,10 @@ close(DoneReadFD); fd_close(DoneFD); fd_close(DoneReadFD); - Initialised = false; + Initialized = false; } -bool CommIO::Initialised = false; +bool CommIO::Initialized = false; bool CommIO::DoneSignalled = false; int CommIO::DoneFD = -1; int CommIO::DoneReadFD = -1; diff -u -r -N squid-3.2.3/src/DiskIO/DiskThreads/CommIO.h squid-3.2.4/src/DiskIO/DiskThreads/CommIO.h --- squid-3.2.3/src/DiskIO/DiskThreads/CommIO.h 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/DiskIO/DiskThreads/CommIO.h 2012-12-02 22:23:10.000000000 +1300 @@ -9,25 +9,25 @@ public: static inline void NotifyIOCompleted(); static void ResetNotifications(); - static void Initialise(); + static void Initialize(); static void NotifyIOClose(); private: static void NULLFDHandler(int, void *); static void FlushPipe(); - static bool Initialised; + static bool Initialized; static bool DoneSignalled; static int DoneFD; static int DoneReadFD; }; - -/* Inline code. TODO: make structued approach to inlining */ +/* Inline code. TODO: make structured approach to inlining */ void CommIO::NotifyIOCompleted() { - if (!Initialised) - Initialise(); + if (!Initialized) { + fatalf("Disk Threads I/O pipes not initialized before first use."); + } if (!DoneSignalled) { DoneSignalled = true; diff -u -r -N squid-3.2.3/src/DiskIO/DiskThreads/DiskThreadsDiskFile.cc squid-3.2.4/src/DiskIO/DiskThreads/DiskThreadsDiskFile.cc --- squid-3.2.3/src/DiskIO/DiskThreads/DiskThreadsDiskFile.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/DiskIO/DiskThreads/DiskThreadsDiskFile.cc 2012-12-02 22:23:10.000000000 +1300 @@ -356,7 +356,8 @@ debugs(79, 3, "DiskThreadsDiskFile::writeDone: FD " << fd << ", len " << len << ", err=" << errflag); - assert(++loop_detect < 10); + ++loop_detect; + assert(loop_detect < 10); --inProgressIOs; diff -u -r -N squid-3.2.3/src/dns_internal.cc squid-3.2.4/src/dns_internal.cc --- squid-3.2.3/src/dns_internal.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/dns_internal.cc 2012-12-02 22:23:10.000000000 +1300 @@ -324,7 +324,8 @@ } assert(npc < npc_alloc); - strcpy(searchpath[npc].domain, buf); + strncpy(searchpath[npc].domain, buf, sizeof(searchpath[npc].domain)-1); + searchpath[npc].domain[sizeof(searchpath[npc].domain)-1] = '\0'; Tolower(searchpath[npc].domain); debugs(78, 3, "idnsAddPathComponent: Added domain #" << npc << ": " << searchpath[npc].domain); ++npc; diff -u -r -N squid-3.2.3/src/eui/Eui48.cc squid-3.2.4/src/eui/Eui48.cc --- squid-3.2.3/src/eui/Eui48.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/eui/Eui48.cc 2012-12-02 22:23:10.000000000 +1300 @@ -174,6 +174,11 @@ /* IPv6 builds do not provide the first http_port as an IPv4 socket for ARP */ int tmpSocket = socket(AF_INET,SOCK_STREAM,0); + if (tmpSocket < 0) { + debugs(28, DBG_IMPORTANT, "Attempt to open socket for EUI retrieval failed: " << xstrerror()); + clear(); + return false; + } /* * The linux kernel 2.2 maintains per interface ARP caches and @@ -313,6 +318,11 @@ /* IPv6 builds do not provide the first http_port as an IPv4 socket for ARP */ int tmpSocket = socket(AF_INET,SOCK_STREAM,0); + if (tmpSocket < 0) { + debugs(28, DBG_IMPORTANT, "Attempt to open socket for EUI retrieval failed: " << xstrerror()); + clear(); + return false; + } /* Set up structures for ARP lookup with blank interface name */ struct arpreq arpReq; diff -u -r -N squid-3.2.3/src/http.cc squid-3.2.4/src/http.cc --- squid-3.2.3/src/http.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/http.cc 2012-12-02 22:23:10.000000000 +1300 @@ -395,25 +395,28 @@ return 0; } - // HTTPbis pt7 section 4.1 clause 3: a response CC:public is present bool mayStore = false; + // HTTPbis pt6 section 3.2: a response CC:public is present if (rep->cache_control->Public()) { debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:public"); mayStore = true; - // HTTPbis pt7 section 4.1 clause 2: a response CC:must-revalidate is present + // HTTPbis pt6 section 3.2: a response CC:must-revalidate is present } else if (rep->cache_control->mustRevalidate() && !REFRESH_OVERRIDE(ignore_must_revalidate)) { debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:public"); mayStore = true; -#if 0 // waiting on HTTPbis WG agreement before we do this +#if USE_HTTP_VIOLATIONS // NP: given the must-revalidate exception we should also be able to exempt no-cache. - } else if (rep->cache_control->noCache()) { - debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:no-cache"); + // HTTPbis WG verdict on this is that it is omitted from the spec due to being 'unexpected' by + // some. The caching+revalidate is not exactly unsafe though with Squids interpretation of no-cache + // as equivalent to must-revalidate in the reply. + } else if (rep->cache_control->noCache() && !REFRESH_OVERRIDE(ignore_must_revalidate)) { + debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:no-cache (equivalent to must-revalidate)"); mayStore = true; #endif - // HTTPbis pt7 section 4.1 clause 1: a response CC:s-maxage is present + // HTTPbis pt6 section 3.2: a response CC:s-maxage is present } else if (rep->cache_control->sMaxAge()) { debugs(22, 3, HERE << " Authenticated but server reply Cache-Control:s-maxage"); mayStore = true; diff -u -r -N squid-3.2.3/src/icmp/pinger.cc squid-3.2.4/src/icmp/pinger.cc --- squid-3.2.3/src/icmp/pinger.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/icmp/pinger.cc 2012-12-02 22:23:10.000000000 +1300 @@ -180,8 +180,18 @@ } max_fd = max(max_fd, squid_link); - setgid(getgid()); - setuid(getuid()); + if (setgid(getgid()) < 0) { + debugs(42, DBG_CRITICAL, "FATAL: pinger: setgid(" << getgid() << ") failed: " << xstrerror()); + icmp4.Close(); + icmp6.Close(); + exit (1); + } + if (setuid(getuid()) < 0) { + debugs(42, DBG_CRITICAL, "FATAL: pinger: setuid(" << getuid() << ") failed: " << xstrerror()); + icmp4.Close(); + icmp6.Close(); + exit (1); + } last_check_time = squid_curtime; diff -u -r -N squid-3.2.3/src/ipc/SharedListen.cc squid-3.2.4/src/ipc/SharedListen.cc --- squid-3.2.3/src/ipc/SharedListen.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/ipc/SharedListen.cc 2012-12-02 22:23:10.000000000 +1300 @@ -45,7 +45,7 @@ Ipc::OpenListenerParams::OpenListenerParams() { - xmemset(this, 0, sizeof(*this)); + memset(this, 0, sizeof(*this)); } bool diff -u -r -N squid-3.2.3/src/ipc/StoreMap.cc squid-3.2.4/src/ipc/StoreMap.cc --- squid-3.2.3/src/ipc/StoreMap.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/ipc/StoreMap.cc 2012-12-02 22:23:10.000000000 +1300 @@ -272,8 +272,8 @@ Ipc::StoreMapSlot::StoreMapSlot(): state(Empty) { - xmemset(&key, 0, sizeof(key)); - xmemset(&basics, 0, sizeof(basics)); + memset(&key, 0, sizeof(key)); + memset(&basics, 0, sizeof(basics)); } void diff -u -r -N squid-3.2.3/src/ipc/TypedMsgHdr.cc squid-3.2.4/src/ipc/TypedMsgHdr.cc --- squid-3.2.3/src/ipc/TypedMsgHdr.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/ipc/TypedMsgHdr.cc 2012-12-02 22:23:10.000000000 +1300 @@ -14,7 +14,7 @@ Ipc::TypedMsgHdr::TypedMsgHdr() { - xmemset(this, 0, sizeof(*this)); + memset(this, 0, sizeof(*this)); sync(); } @@ -208,7 +208,7 @@ void Ipc::TypedMsgHdr::prepForReading() { - xmemset(this, 0, sizeof(*this)); + memset(this, 0, sizeof(*this)); allocName(); allocData(); allocControl(); diff -u -r -N squid-3.2.3/src/main.cc squid-3.2.4/src/main.cc --- squid-3.2.3/src/main.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/main.cc 2012-12-02 22:23:10.000000000 +1300 @@ -512,6 +512,7 @@ /** \par l * Stores the syslog facility name in global opt_syslog_facility * then performs actions for -s option. */ + xfree(opt_syslog_facility); // ignore any previous options sent opt_syslog_facility = xstrdup(optarg); case 's': diff -u -r -N squid-3.2.3/src/MemBlob.cc squid-3.2.4/src/MemBlob.cc --- squid-3.2.3/src/MemBlob.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/MemBlob.cc 2012-12-02 22:23:10.000000000 +1300 @@ -47,7 +47,7 @@ /* MemBlobStats */ -MemBlobStats::MemBlobStats(): alloc(0), live(0), append(0) +MemBlobStats::MemBlobStats(): alloc(0), live(0), append(0), liveBytes(0) {} std::ostream& diff -u -r -N squid-3.2.3/src/mgr/CountersAction.cc squid-3.2.4/src/mgr/CountersAction.cc --- squid-3.2.3/src/mgr/CountersAction.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/mgr/CountersAction.cc 2012-12-02 22:23:10.000000000 +1300 @@ -19,7 +19,7 @@ Mgr::CountersActionData::CountersActionData() { - xmemset(this, 0, sizeof(*this)); + memset(this, 0, sizeof(*this)); } Mgr::CountersActionData& diff -u -r -N squid-3.2.3/src/mgr/InfoAction.cc squid-3.2.4/src/mgr/InfoAction.cc --- squid-3.2.3/src/mgr/InfoAction.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/mgr/InfoAction.cc 2012-12-02 22:23:10.000000000 +1300 @@ -26,7 +26,7 @@ Mgr::InfoActionData::InfoActionData() { - xmemset(this, 0, sizeof(*this)); + memset(this, 0, sizeof(*this)); } Mgr::InfoActionData& diff -u -r -N squid-3.2.3/src/mgr/IntervalAction.cc squid-3.2.4/src/mgr/IntervalAction.cc --- squid-3.2.3/src/mgr/IntervalAction.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/mgr/IntervalAction.cc 2012-12-02 22:23:10.000000000 +1300 @@ -19,7 +19,7 @@ Mgr::IntervalActionData::IntervalActionData() { - xmemset(this, 0, sizeof(*this)); + memset(this, 0, sizeof(*this)); } Mgr::IntervalActionData& diff -u -r -N squid-3.2.3/src/mgr/IoAction.cc squid-3.2.4/src/mgr/IoAction.cc --- squid-3.2.3/src/mgr/IoAction.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/mgr/IoAction.cc 2012-12-02 22:23:10.000000000 +1300 @@ -19,7 +19,7 @@ Mgr::IoActionData::IoActionData() { - xmemset(this, 0, sizeof(*this)); + memset(this, 0, sizeof(*this)); } Mgr::IoActionData& diff -u -r -N squid-3.2.3/src/mgr/ServiceTimesAction.cc squid-3.2.4/src/mgr/ServiceTimesAction.cc --- squid-3.2.3/src/mgr/ServiceTimesAction.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/mgr/ServiceTimesAction.cc 2012-12-02 22:23:10.000000000 +1300 @@ -18,7 +18,7 @@ Mgr::ServiceTimesActionData::ServiceTimesActionData() { - xmemset(this, 0, sizeof(*this)); + memset(this, 0, sizeof(*this)); } Mgr::ServiceTimesActionData& diff -u -r -N squid-3.2.3/src/mgr/StoreIoAction.cc squid-3.2.4/src/mgr/StoreIoAction.cc --- squid-3.2.3/src/mgr/StoreIoAction.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/mgr/StoreIoAction.cc 2012-12-02 22:23:10.000000000 +1300 @@ -15,7 +15,7 @@ Mgr::StoreIoActionData::StoreIoActionData() { - xmemset(this, 0, sizeof(*this)); + memset(this, 0, sizeof(*this)); } Mgr::StoreIoActionData& diff -u -r -N squid-3.2.3/src/neighbors.cc squid-3.2.4/src/neighbors.cc --- squid-3.2.3/src/neighbors.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/neighbors.cc 2012-12-02 22:23:10.000000000 +1300 @@ -833,7 +833,7 @@ { #if USE_CACHE_DIGESTS if (p) - strncpy(request->hier.cd_host, p->host, sizeof(request->hier.cd_host)); + strncpy(request->hier.cd_host, p->host, sizeof(request->hier.cd_host)-1); else *request->hier.cd_host = '\0'; diff -u -r -N squid-3.2.3/src/PeerDigest.h squid-3.2.4/src/PeerDigest.h --- squid-3.2.3/src/PeerDigest.h 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/PeerDigest.h 2012-12-02 22:23:10.000000000 +1300 @@ -64,6 +64,10 @@ int reserved[32 - 6]; }; +class HttpRequest; +class PeerDigest; +class store_client; + struct _DigestFetchState { PeerDigest *pd; StoreEntry *entry; diff -u -r -N squid-3.2.3/src/protos.h squid-3.2.4/src/protos.h --- squid-3.2.3/src/protos.h 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/protos.h 2012-12-02 22:23:10.000000000 +1300 @@ -519,9 +519,6 @@ String ProcessRoles(); SQUIDCEXTERN int DebugSignal; -/* AYJ debugs function to show locations being reset with memset() */ -SQUIDCEXTERN void *xmemset(void *dst, int, size_t); - SQUIDCEXTERN void debug_trap(const char *); SQUIDCEXTERN void logsFlush(void); SQUIDCEXTERN const char *checkNullString(const char *p); diff -u -r -N squid-3.2.3/src/snmp/Pdu.cc squid-3.2.4/src/snmp/Pdu.cc --- squid-3.2.3/src/snmp/Pdu.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/snmp/Pdu.cc 2012-12-02 22:23:10.000000000 +1300 @@ -44,7 +44,7 @@ void Snmp::Pdu::init() { - xmemset(this, 0, sizeof(*this)); + memset(this, 0, sizeof(*this)); errstat = SNMP_DEFAULT_ERRSTAT; errindex = SNMP_DEFAULT_ERRINDEX; } diff -u -r -N squid-3.2.3/src/snmp/Session.cc squid-3.2.4/src/snmp/Session.cc --- squid-3.2.3/src/snmp/Session.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/snmp/Session.cc 2012-12-02 22:23:10.000000000 +1300 @@ -38,7 +38,7 @@ void Snmp::Session::clear() { - xmemset(this, 0, sizeof(*this)); + memset(this, 0, sizeof(*this)); } void diff -u -r -N squid-3.2.3/src/snmp/Var.cc squid-3.2.4/src/snmp/Var.cc --- squid-3.2.3/src/snmp/Var.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/snmp/Var.cc 2012-12-02 22:23:10.000000000 +1300 @@ -42,7 +42,7 @@ void Snmp::Var::init() { - xmemset(this, 0, sizeof(*this)); + memset(this, 0, sizeof(*this)); } Snmp::Var& diff -u -r -N squid-3.2.3/src/ssl/certificate_db.cc squid-3.2.4/src/ssl/certificate_db.cc --- squid-3.2.3/src/ssl/certificate_db.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/ssl/certificate_db.cc 2012-12-02 22:23:10.000000000 +1300 @@ -108,19 +108,38 @@ Ssl::CertificateDb::Row::Row() : width(cnlNumber) { - row = new char *[width + 1]; + row = (char **)OPENSSL_malloc(sizeof(char *) * (width + 1)); for (size_t i = 0; i < width + 1; ++i) row[i] = NULL; } +Ssl::CertificateDb::Row::Row(char **aRow, size_t aWidth): width(aWidth) +{ + row = aRow; +} + Ssl::CertificateDb::Row::~Row() { - if (row) { + if (!row) + return; + + void *max; + if ((max = (void *)row[width]) != NULL) { + // It is an openSSL allocated row. The TXT_DB_read function stores the + // index and row items one one memory segment. The row[width] points + // to the end of buffer. We have to check for items in the array which + // are not stored in this segment. These items should released. for (size_t i = 0; i < width + 1; ++i) { - delete[](row[i]); + if (((row[i] < (char *)row) || (row[i] > max)) && (row[i] != NULL)) + OPENSSL_free(row[i]); + } + } else { + for (size_t i = 0; i < width + 1; ++i) { + if (row[i]) + OPENSSL_free(row[i]); } - delete[](row); } + OPENSSL_free(row); } void Ssl::CertificateDb::Row::reset() @@ -135,7 +154,7 @@ free(row[cell]); } if (value) { - row[cell] = static_cast(malloc(sizeof(char) * (strlen(value) + 1))); + row[cell] = static_cast(OPENSSL_malloc(sizeof(char) * (strlen(value) + 1))); memcpy(row[cell], value, sizeof(char) * (strlen(value) + 1)); } else row[cell] = NULL; @@ -146,6 +165,55 @@ return row; } +void Ssl::CertificateDb::sq_TXT_DB_delete(TXT_DB *db, const char **row) +{ + if (!db) + return; + +#if OPENSSL_VERSION_NUMBER >= 0x1000004fL + for (int i = 0; i < sk_OPENSSL_PSTRING_num(db->data); ++i) { + const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db->data, i)); +#else + for (int i = 0; i < sk_num(db->data); ++i) { + const char ** current_row = ((const char **)sk_value(db->data, i)); +#endif + if (current_row == row) { + sq_TXT_DB_delete_row(db, i); + return; + } + } +} + +#define countof(arr) (sizeof(arr)/sizeof(*arr)) +void Ssl::CertificateDb::sq_TXT_DB_delete_row(TXT_DB *db, int idx) +{ + char **rrow; +#if OPENSSL_VERSION_NUMBER >= 0x1000004fL + rrow = (char **)sk_OPENSSL_PSTRING_delete(db->data, idx); +#else + rrow = (char **)sk_delete(db->data, idx); +#endif + + if (!rrow) + return; + + Row row(rrow, cnlNumber); // row wrapper used to free the rrow + + const Columns db_indexes[]={cnlSerial, cnlName}; + for (unsigned int i = 0; i < countof(db_indexes); ++i) { + void *data = NULL; +#if OPENSSL_VERSION_NUMBER >= 0x1000004fL + if (LHASH_OF(OPENSSL_STRING) *fieldIndex = db->index[db_indexes[i]]) + data = lh_OPENSSL_STRING_delete(fieldIndex, rrow); +#else + if (LHASH *fieldIndex = db->index[db_indexes[i]]) + data = lh_delete(fieldIndex, rrow); +#endif + if (data) + assert(data == rrow); + } +} + unsigned long Ssl::CertificateDb::index_serial_hash(const char **a) { const char *n = a[Ssl::CertificateDb::cnlSerial]; @@ -219,13 +287,24 @@ } row.setValue(cnlSerial, serial_string.c_str()); char ** rrow = TXT_DB_get_by_index(db.get(), cnlSerial, row.getRow()); - if (rrow != NULL) - return false; + if (rrow != NULL) { + // TODO: check if the stored row is valid. + return true; + } { TidyPointer subject(X509_NAME_oneline(X509_get_subject_name(cert.get()), NULL, 0)); - if (pure_find(subject.get(), cert, pkey)) + Ssl::X509_Pointer findCert; + Ssl::EVP_PKEY_Pointer findPkey; + if (pure_find(subject.get(), findCert, findPkey)) { + // Replace with database certificate + cert.reset(findCert.release()); + pkey.reset(findPkey.release()); return true; + } + // pure_find may fail because the entry is expired, or because the + // certs file is corrupted. Remove any entry with given hostname + deleteByHostname(subject.get()); } // check db size while trying to minimize calls to size() @@ -235,8 +314,10 @@ // there are no more invalid ones, but there must be valid certificates do { - if (!deleteOldestCertificate()) + if (!deleteOldestCertificate()) { + save(); // Some entries may have been removed. Update the index file. return false; // errors prevented us from freeing enough space + } } while (size() > max_db_size); break; } @@ -250,13 +331,22 @@ row.setValue(cnlName, subject.get()); } - if (!TXT_DB_insert(db.get(), row.getRow())) + if (!TXT_DB_insert(db.get(), row.getRow())) { + // failed to add index (???) but we may have already modified + // the database so save before exit + save(); return false; - + } + rrow = row.getRow(); row.reset(); + std::string filename(cert_full + "/" + serial_string + ".pem"); - if (!writeCertAndPrivateKeyToFile(cert, pkey, filename.c_str())) + if (!writeCertAndPrivateKeyToFile(cert, pkey, filename.c_str())) { + //remove row from txt_db and save + sq_TXT_DB_delete(db.get(), (const char **)rrow); + save(); return false; + } addSize(filename); save(); @@ -382,10 +472,8 @@ if (rrow == NULL) return false; - if (!sslDateIsInTheFuture(rrow[cnlExp_date])) { - deleteByHostname(rrow[cnlName]); + if (!sslDateIsInTheFuture(rrow[cnlExp_date])) return false; - } // read cert and pkey from file. std::string filename(cert_full + "/" + rrow[cnlSerial] + ".pem"); @@ -485,26 +573,10 @@ } // Normally defined in defines.h file -#define countof(arr) (sizeof(arr)/sizeof(*arr)) void Ssl::CertificateDb::deleteRow(const char **row, int rowIndex) { const std::string filename(cert_full + "/" + row[cnlSerial] + ".pem"); -#if OPENSSL_VERSION_NUMBER >= 0x1000004fL - sk_OPENSSL_PSTRING_delete(db.get()->data, rowIndex); -#else - sk_delete(db.get()->data, rowIndex); -#endif - - const Columns db_indexes[]={cnlSerial, cnlName}; - for (unsigned int i = 0; i < countof(db_indexes); ++i) { -#if OPENSSL_VERSION_NUMBER >= 0x1000004fL - if (LHASH_OF(OPENSSL_STRING) *fieldIndex = db.get()->index[db_indexes[i]]) - lh_OPENSSL_STRING_delete(fieldIndex, (char **)row); -#else - if (LHASH *fieldIndex = db.get()->index[db_indexes[i]]) - lh_delete(fieldIndex, row); -#endif - } + sq_TXT_DB_delete_row(db.get(), rowIndex); subSize(filename); int ret = remove(filename.c_str()); diff -u -r -N squid-3.2.3/src/ssl/certificate_db.h squid-3.2.4/src/ssl/certificate_db.h --- squid-3.2.3/src/ssl/certificate_db.h 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/ssl/certificate_db.h 2012-12-02 22:23:10.000000000 +1300 @@ -81,6 +81,8 @@ public: /// Create row wrapper. Row(); + ///Create row wrapper for row with width items + Row(char **row, size_t width); /// Delete all row. ~Row(); void setValue(size_t number, char const * value); ///< Set cell's value in row @@ -123,6 +125,11 @@ bool deleteOldestCertificate(); ///< Delete oldest certificate. bool deleteByHostname(std::string const & host); ///< Delete using host name. + /// Removes the first matching row from TXT_DB. Ignores failures. + static void sq_TXT_DB_delete(TXT_DB *db, const char **row); + /// Remove the row on position idx from TXT_DB. Ignores failures. + static void sq_TXT_DB_delete_row(TXT_DB *db, int idx); + /// Callback hash function for serials. Used to create TXT_DB index of serials. static unsigned long index_serial_hash(const char **a); /// Callback compare function for serials. Used to create TXT_DB index of serials. diff -u -r -N squid-3.2.3/src/StoreStats.cc squid-3.2.4/src/StoreStats.cc --- squid-3.2.3/src/StoreStats.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/StoreStats.cc 2012-12-02 22:23:10.000000000 +1300 @@ -14,7 +14,7 @@ StoreInfoStats::StoreInfoStats() { - xmemset(this, 0, sizeof(*this)); + memset(this, 0, sizeof(*this)); } StoreInfoStats & @@ -57,6 +57,6 @@ StoreIoStats::StoreIoStats() { - xmemset(this, 0, sizeof(*this)); + memset(this, 0, sizeof(*this)); } diff -u -r -N squid-3.2.3/src/tests/stub_tools.cc squid-3.2.4/src/tests/stub_tools.cc --- squid-3.2.3/src/tests/stub_tools.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/tests/stub_tools.cc 2012-12-02 22:23:10.000000000 +1300 @@ -47,13 +47,6 @@ fatal("tools.cc required"); } -void* -xmemset(void* dst, int val, size_t sz) -{ - assert(dst); - return memset(dst, val, sz); -} - bool IamWorkerProcess() { diff -u -r -N squid-3.2.3/src/tools.cc squid-3.2.4/src/tools.cc --- squid-3.2.3/src/tools.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/tools.cc 2012-12-02 22:23:10.000000000 +1300 @@ -754,10 +754,10 @@ void enter_suid(void) { - debugs(21, 3, "enter_suid: PID " << getpid() << " taking root priveleges"); + debugs(21, 3, "enter_suid: PID " << getpid() << " taking root privileges"); #if HAVE_SETRESUID - - setresuid((uid_t)-1, 0, (uid_t)-1); + if (setresuid((uid_t)-1, 0, (uid_t)-1) < 0) + debugs (21, 3, "enter_suid: setresuid failed: " << xstrerror ()); #else setuid(0); @@ -782,10 +782,11 @@ uid = geteuid(); debugs(21, 3, "no_suid: PID " << getpid() << " giving up root priveleges forever"); - setuid(0); + if (setuid(0) < 0) + debugs(50, DBG_IMPORTANT, "WARNING: no_suid: setuid(0): " << xstrerror()); if (setuid(uid) < 0) - debugs(50, 1, "no_suid: setuid: " << xstrerror()); + debugs(50, DBG_IMPORTANT, "ERROR: no_suid: setuid(" << uid << "): " << xstrerror()); restoreCapabilities(0); @@ -1226,8 +1227,9 @@ /* For IPV6 addresses also check for a colon */ if (Config.appendDomain && !strchr(lt, '.') && !strchr(lt, ':')) { /* I know it's ugly, but it's only at reconfig */ - strncpy(buf2, lt, 512); - strncat(buf2, Config.appendDomain, 512 - strlen(lt) - 1); + strncpy(buf2, lt, sizeof(buf2)-1); + strncat(buf2, Config.appendDomain, sizeof(buf2) - strlen(lt) - 1); + buf2[sizeof(buf2)-1] = '\0'; host = buf2; } else { host = lt; @@ -1383,13 +1385,3 @@ Ip::Interceptor.StopTransparency("Missing needed capability support."); #endif /* HAVE_SYS_CAPABILITY_H */ } - -void * -xmemset(void *dst, int val, size_t sz) -{ - // do debugs output - debugs(63, 9, "memset: dst=" << dst << ", val=" << val << ", bytes=" << sz); - - // call the system one to do the actual work ~safely. - return memset(dst, val, sz); -} diff -u -r -N squid-3.2.3/src/tunnel.cc squid-3.2.4/src/tunnel.cc --- squid-3.2.3/src/tunnel.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/tunnel.cc 2012-12-02 22:23:10.000000000 +1300 @@ -318,6 +318,14 @@ commSetConnTimeout(from.conn, Config.Timeout.read, timeoutCall); } + /* Bump the dest connection read timeout on any activity */ + /* see Bug 3659: tunnels can be weird, with very long one-way transfers */ + if (Comm::IsConnOpen(to.conn)) { + AsyncCall::Pointer timeoutCall = commCbCall(5, 4, "tunnelTimeout", + CommTimeoutCbPtrFun(tunnelTimeout, this)); + commSetConnTimeout(to.conn, Config.Timeout.read, timeoutCall); + } + if (errcode) from.error (xerrno); else if (len == 0 || !Comm::IsConnOpen(to.conn)) { diff -u -r -N squid-3.2.3/src/unlinkd_daemon.cc squid-3.2.4/src/unlinkd_daemon.cc --- squid-3.2.3/src/unlinkd_daemon.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/unlinkd_daemon.cc 2012-12-02 22:23:10.000000000 +1300 @@ -79,9 +79,11 @@ setbuf(stdin, NULL); setbuf(stdout, NULL); close(2); - open(_PATH_DEVNULL, O_RDWR); + if (open(_PATH_DEVNULL, O_RDWR) < 0) { + ; // the irony of having to close(2) earlier is that we cannot report this failure. + } - while (fgets(buf, UNLINK_BUF_LEN, stdin)) { + while (fgets(buf, sizeof(buf), stdin)) { if ((t = strchr(buf, '\n'))) *t = '\0'; x = unlink(buf); diff -u -r -N squid-3.2.3/src/url.cc squid-3.2.4/src/url.cc --- squid-3.2.3/src/url.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/url.cc 2012-12-02 22:23:10.000000000 +1300 @@ -312,10 +312,12 @@ /* Is there any login information? (we should eventually parse it above) */ t = strrchr(host, '@'); if (t != NULL) { - strcpy((char *) login, (char *) host); + strncpy((char *) login, (char *) host, sizeof(login)-1); + login[sizeof(login)-1] = '\0'; t = strrchr(login, '@'); *t = 0; - strcpy((char *) host, t + 1); + strncpy((char *) host, t + 1, sizeof(host)-1); + host[sizeof(host)-1] = '\0'; } /* Is there any host information? (we should eventually parse it above) */ diff -u -r -N squid-3.2.3/src/wccp2.cc squid-3.2.4/src/wccp2.cc --- squid-3.2.3/src/wccp2.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/src/wccp2.cc 2012-12-02 22:23:10.000000000 +1300 @@ -613,7 +613,7 @@ SquidMD5Init(&M); - SquidMD5Update(&M, pwd, 8); + SquidMD5Update(&M, pwd, sizeof(pwd)); SquidMD5Update(&M, packet, len); @@ -659,7 +659,6 @@ /* The password field, for the MD5 hash, needs to be 8 bytes and NUL padded. */ memset(pwd, 0, sizeof(pwd)); - strncpy(pwd, srv->wccp_password, sizeof(pwd)); /* Take a copy of the challenge: we need to NUL it before comparing */ @@ -669,7 +668,7 @@ SquidMD5Init(&M); - SquidMD5Update(&M, pwd, 8); + SquidMD5Update(&M, pwd, sizeof(pwd)); SquidMD5Update(&M, packet, len); diff -u -r -N squid-3.2.3/tools/cachemgr.cc squid-3.2.4/tools/cachemgr.cc --- squid-3.2.3/tools/cachemgr.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/tools/cachemgr.cc 2012-12-02 22:23:10.000000000 +1300 @@ -596,12 +596,15 @@ if ((p = strchr(x, '\n'))) *p = '\0'; action = xstrtok(&x, '\t'); + if (!action) { + xfree(buf); + return ""; + } description = xstrtok(&x, '\t'); if (!description) description = action; - if (!action) - return ""; snprintf(html, sizeof(html), " %s", menu_url(req, action), description); + xfree(buf); return html; } @@ -830,7 +833,7 @@ } if (!check_target_acl(req->hostname, req->port)) { - snprintf(buf, 1024, "target %s:%d not allowed in cachemgr.conf\n", req->hostname, req->port); + snprintf(buf, sizeof(buf), "target %s:%d not allowed in cachemgr.conf\n", req->hostname, req->port); error_html(buf); return 1; } @@ -842,7 +845,7 @@ } else if ((S = req->hostname)) (void) 0; else { - snprintf(buf, 1024, "Unknown host: %s\n", req->hostname); + snprintf(buf, sizeof(buf), "Unknown host: %s\n", req->hostname); error_html(buf); return 1; } @@ -856,17 +859,19 @@ #else if ((s = socket(PF_INET, SOCK_STREAM, 0)) < 0) { #endif - snprintf(buf, 1024, "socket: %s\n", xstrerror()); + snprintf(buf, sizeof(buf), "socket: %s\n", xstrerror()); error_html(buf); + S.FreeAddrInfo(AI); return 1; } if (connect(s, AI->ai_addr, AI->ai_addrlen) < 0) { - snprintf(buf, 1024, "connect %s: %s\n", + snprintf(buf, sizeof(buf), "connect %s: %s\n", S.ToURL(ipbuf,MAX_IPSTRLEN), xstrerror()); error_html(buf); S.FreeAddrInfo(AI); + close(s); return 1; } @@ -954,8 +959,6 @@ read_post_request(void) { char *s; - char *buf; - int len; if ((s = getenv("REQUEST_METHOD")) == NULL) return NULL; @@ -966,15 +969,34 @@ if ((s = getenv("CONTENT_LENGTH")) == NULL) return NULL; - if ((len = atoi(s)) <= 0) + if (*s == '-') // negative length content huh? + return NULL; + + uint64_t len; + + char *endptr = s+ strlen(s); + if ((len = strtoll(s, &endptr, 10)) <= 0) return NULL; - buf = (char *)xmalloc(len + 1); + // limit the input to something reasonable. + // 4KB should be enough for the GET/POST data length, but may be extended. + size_t bufLen = (len >= 4096 ? len : 4095); + char *buf = (char *)xmalloc(bufLen + 1); - if (fread(buf, len, 1, stdin) == 0) + size_t readLen = fread(buf, bufLen, 1, stdin); + if (readLen == 0) { + xfree(buf); return NULL; + } + buf[readLen] = '\0'; + len -= readLen; - buf[len] = '\0'; + // purge the remainder of the request entity + while (len > 0) { + char temp[65535]; + readLen = fread(temp, 65535, 1, stdin); + len -= readLen; + } return buf; } @@ -1121,37 +1143,49 @@ debug("cmgr: length ok\n"); /* parse ( a lot of memory leaks, but that is cachemgr style :) */ - if ((host_name = strtok(buf, "|")) == NULL) + if ((host_name = strtok(buf, "|")) == NULL) { + xfree(buf); return; + } debug("cmgr: decoded host: '%s'\n", host_name); - if ((time_str = strtok(NULL, "|")) == NULL) + if ((time_str = strtok(NULL, "|")) == NULL) { + xfree(buf); return; + } debug("cmgr: decoded time: '%s' (now: %d)\n", time_str, (int) now); - if ((user_name = strtok(NULL, "|")) == NULL) + if ((user_name = strtok(NULL, "|")) == NULL) { + xfree(buf); return; + } debug("cmgr: decoded uname: '%s'\n", user_name); - if ((passwd = strtok(NULL, "|")) == NULL) + if ((passwd = strtok(NULL, "|")) == NULL) { + xfree(buf); return; + } debug("cmgr: decoded passwd: '%s'\n", passwd); /* verify freshness and validity */ - if (atoi(time_str) + passwd_ttl < now) + if (atoi(time_str) + passwd_ttl < now) { + xfree(buf); return; + } - if (strcasecmp(host_name, req->hostname)) + if (strcasecmp(host_name, req->hostname)) { + xfree(buf); return; + } debug("cmgr: verified auth. info.\n"); /* ok, accept */ - xfree(req->user_name); + safe_free(req->user_name); req->user_name = xstrdup(user_name); @@ -1193,6 +1227,7 @@ snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", str64); + xfree(str64); return buf; } diff -u -r -N squid-3.2.3/tools/purge/conffile.cc squid-3.2.4/tools/purge/conffile.cc --- squid-3.2.3/tools/purge/conffile.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/tools/purge/conffile.cc 2012-12-02 22:23:10.000000000 +1300 @@ -48,6 +48,7 @@ #include #include #include +#include int readConfigFile( CacheDirVector& cachedir, const char* fn, FILE* debug ) @@ -61,8 +62,8 @@ // try to open file if ( debug ) fprintf( debug, "# trying to open %s\n", fn ? fn : "(null)" ); - FILE* in = fopen( fn, "r" ); - if ( in == NULL ) { + std::ifstream cfgin(fn); + if (!cfgin) { fprintf( stderr, "fopen %s: %s\n", fn, strerror(errno) ); return -1; } @@ -84,7 +85,7 @@ regmatch_t subs[8]; char *s, line[1024]; CacheDir cd; - while ( fgets( line, sizeof(line), in ) ) { + while ( cfgin.getline( line, sizeof(line)) ) { // FIXME: overly long lines // terminate line at start of comment @@ -102,7 +103,7 @@ fprintf( stderr, "while matching \"%s\" against %s%s\n", expression, line, buffer ); regfree(&rexp); - fclose(in); + cfgin.close(); return -1; } } else { @@ -179,7 +180,7 @@ } } - fclose(in); + cfgin.close(); regfree(&rexp); return cachedir.size(); } diff -u -r -N squid-3.2.3/tools/purge/purge.cc squid-3.2.4/tools/purge/purge.cc --- squid-3.2.3/tools/purge/purge.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/tools/purge/purge.cc 2012-12-02 22:23:10.000000000 +1300 @@ -498,7 +498,8 @@ if ( ::iamalive ) { static char alivelist[4][3] = { "\\\b", "|\b", "/\b", "-\b" }; static unsigned short alivecount = 0; - assert( write( STDOUT_FILENO, alivelist[alivecount++ & 3], 2 ) == 2 ); + const int write_success = write(STDOUT_FILENO, alivelist[alivecount++ & 3], 2); + assert(write_success == 2); } bool flag = true; @@ -636,13 +637,15 @@ case 'C': if ( optarg && *optarg ) { if ( copydir ) xfree( (void*) copydir ); - assert( (copydir = xstrdup(optarg)) ); + copydir = xstrdup(optarg); + assert(copydir); } break; case 'c': if ( optarg && *optarg ) { - if ( *conffile ) xfree((void*) conffile ); - assert( (conffile = xstrdup(optarg)) ); + if ( *conffile ) xfree((void*) conffile); + conffile = xstrdup(optarg); + assert(conffile); } break; diff -u -r -N squid-3.2.3/tools/squidclient.cc squid-3.2.4/tools/squidclient.cc --- squid-3.2.3/tools/squidclient.cc 2012-10-21 01:39:49.000000000 +1300 +++ squid-3.2.4/tools/squidclient.cc 2012-12-02 22:23:10.000000000 +1300 @@ -268,13 +268,11 @@ break; case 'A': - if (optarg != NULL) - useragent = optarg; + useragent = optarg; break; case 'h': /* remote host */ - if (optarg != NULL) - hostname = optarg; + hostname = optarg; break; case 'j': @@ -282,13 +280,11 @@ break; case 'V': - if (optarg != NULL) - version = optarg; + version = optarg; break; case 'l': /* local host */ - if (optarg != NULL) - localhost = optarg; + localhost = optarg; break; case 's': /* silent */ @@ -421,7 +417,9 @@ setmode(put_fd, O_BINARY); #endif - fstat(put_fd, &sb); + if (fstat(put_fd, &sb) < 0) { + fprintf(stderr, "%s: can't identify length of file (%s)\n", argv[0], xstrerror()); + } } if (!host) {