[VIM] old Squid clientAbortBody issue - NOT an overflow?

Steven M. Christey coley at mitre.org
Thu Feb 23 21:02:40 EST 2006

There's an old Squid clientAbortBody issue that was claimed to be a
buffer overflow, but the original report seems to be erroneous.



These sources claim a buffer overflow in clientAbortBody() in
client_side.c in Squid before 2.6 STABLE6 (actually, some say STABLE5,
which is understandable because the original researcher claims both.)

The key here is the following Squid bug report:


Here is my reconstruction of what happened:

(1) Original bug report to vendor shows null dereference in
clientAbortBody; original claim is null deref, and patch shows null

(2) Separate researcher claims overflow in clientAbortBody() for
STABLE6 (SECTRACK:1011214), saying "I am still experiencing this
problem in STABLE6."

(3) Various vuln DBs reported this issue as an overflow (including

(4) Later in the bug report, the vendor asks the researcher for more
information about the STABLE6 problem.

(5) The researcher then retracts the original claim, saying "the
release I thought was STABLE6 was a mis-labled version of Stable5..."

I'll be creating a CVE for the issue, calling it a null dereference in
STABLE5.  Not sure where the "overflow" claim even came from, but
there might be some long fields in the stack trace in message 2 of the
bug report (or maybe it's just zeroed memory).

FYI, SECUNIA:12508 is based on the original clientAbortBody null
dereference report.

- Steve

P.S.  Why yes, figuring this out DID kinda suck.

More information about the VIM mailing list