37 lines
1.5 KiB
Diff
37 lines
1.5 KiB
Diff
From 5bede3305cabb9ac19babecf3ebaf64f43f7b53e Mon Sep 17 00:00:00 2001
|
|
From: Alex Rousskov <rousskov@measurement-factory.com>
|
|
Date: Sun, 12 Nov 2023 09:33:20 +0000
|
|
Subject: [PATCH] Do not update StoreEntry expiration after errorAppendEntry()
|
|
(#1580)
|
|
|
|
errorAppendEntry() is responsible for setting entry expiration times,
|
|
which it does by calling StoreEntry::storeErrorResponse() that calls
|
|
StoreEntry::negativeCache().
|
|
|
|
This change was triggered by a vulnerability report by Joshua Rogers at
|
|
https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html where
|
|
it was filed as "Use-After-Free in Cache Manager Errors". The reported
|
|
"use after free" vulnerability was unknowingly addressed by 2022 commit
|
|
1fa761a that removed excessively long "reentrant" store_client calls
|
|
responsible for the disappearance of the properly locked StoreEntry in
|
|
this (and probably other) contexts.
|
|
|
|
Conflict: context adapt
|
|
Reference: https://github.com/squid-cache/squid/commit/5bede3305cabb9ac19babecf3ebaf64f43f7b53e
|
|
---
|
|
src/cache_manager.cc | 1 -
|
|
1 file changed, 1 deletion(-)
|
|
|
|
diff --git a/src/cache_manager.cc b/src/cache_manager.cc
|
|
index b5a9cbecd33..08445a517a9 100644
|
|
--- a/src/cache_manager.cc
|
|
+++ b/src/cache_manager.cc
|
|
@@ -306,7 +306,6 @@ CacheManager::start(const Comm::ConnectionPointer &client, HttpRequest *request,
|
|
const auto err = new ErrorState(ERR_INVALID_URL, Http::scNotFound, request);
|
|
err->url = xstrdup(entry->url());
|
|
errorAppendEntry(entry, err);
|
|
- entry->expires = squid_curtime;
|
|
return;
|
|
}
|
|
|