You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
31 lines
1.3 KiB
31 lines
1.3 KiB
4 months ago
|
commit 8fcff9c09824b18628f010d26a04247f6a6cbcb8
|
||
|
Author: Alex Rousskov <rousskov@measurement-factory.com>
|
||
|
Date: Sun Nov 12 09:33:20 2023 +0000
|
||
|
|
||
|
Do not update StoreEntry expiration after errorAppendEntry() (#1580)
|
||
|
|
||
|
errorAppendEntry() is responsible for setting entry expiration times,
|
||
|
which it does by calling StoreEntry::storeErrorResponse() that calls
|
||
|
StoreEntry::negativeCache().
|
||
|
|
||
|
This change was triggered by a vulnerability report by Joshua Rogers at
|
||
|
https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html where
|
||
|
it was filed as "Use-After-Free in Cache Manager Errors". The reported
|
||
|
"use after free" vulnerability was unknowingly addressed by 2022 commit
|
||
|
1fa761a that removed excessively long "reentrant" store_client calls
|
||
|
responsible for the disappearance of the properly locked StoreEntry in
|
||
|
this (and probably other) contexts.
|
||
|
|
||
|
diff --git a/src/cache_manager.cc b/src/cache_manager.cc
|
||
|
index 61c7f65be..65bf22dd0 100644
|
||
|
--- a/src/cache_manager.cc
|
||
|
+++ b/src/cache_manager.cc
|
||
|
@@ -326,7 +326,6 @@ CacheManager::start(const Comm::ConnectionPointer &client, HttpRequest *request,
|
||
|
err->url = xstrdup(entry->url());
|
||
|
err->detailError(new ExceptionErrorDetail(Here().id()));
|
||
|
errorAppendEntry(entry, err);
|
||
|
- entry->expires = squid_curtime;
|
||
|
return;
|
||
|
}
|
||
|
|