Fix: CVE-2015-3455 ------------------------------------------------------------ revno: 13222 revision-id: squid3@treenet.co.nz-20150501071651-songz1j26frb2ytz parent: squid3@treenet.co.nz-20150501071104-vd21fu43lvmqoqwa author: Amos Jeffries , Christos Tsantilas committer: Amos Jeffries branch nick: 3.4 timestamp: Fri 2015-05-01 00:16:51 -0700 message: Fix X509 server certificate domain matching The X509 certificate domain fields may contain non-ASCII encodings. Ensure the domain match algorithm is only passed UTF-8 ASCII-compatible strings. ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20150501071651-songz1j26frb2ytz # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 # testament_sha1: e38694c3e222c506740510557d2a7a122786225c # timestamp: 2015-05-01 07:17:25 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 # base_revision_id: squid3@treenet.co.nz-20150501071104-\ # vd21fu43lvmqoqwa # # Begin patch Upstream-Status: Backport http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13222.patch Signed-off-by: Armin Kuster === modified file 'src/ssl/support.cc' --- a/src/ssl/support.cc 2015-01-24 05:07:58 +0000 +++ b/src/ssl/support.cc 2015-05-01 07:16:51 +0000 @@ -209,7 +209,13 @@ if (cn_data->length > (int)sizeof(cn) - 1) { return 1; //if does not fit our buffer just ignore } - memcpy(cn, cn_data->data, cn_data->length); + char *s = reinterpret_cast(cn_data->data); + char *d = cn; + for (int i = 0; i < cn_data->length; ++i, ++d, ++s) { + if (*s == '\0') + return 1; // always a domain mismatch. contains 0x00 + *d = *s; + } cn[cn_data->length] = '\0'; debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn); return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn);