$OpenBSD: patch-src_reqs_c,v 1.1 2012/08/20 09:51:20 jasper Exp $

Security fix for CVE-2012-3505, tinyproxy: multiple headers hashmap DoS
Patch from https://bugzilla.redhat.com/show_bug.cgi?id=849368
CVE-2012-3505-tinyproxy-limit-headers.patch

--- src/reqs.c.orig	Mon Feb  7 13:31:03 2011
+++ src/reqs.c	Mon Aug 20 11:46:43 2012
@@ -610,6 +610,11 @@ add_header_to_connection (hashmap_t hashofheaders, cha
         return hashmap_insert (hashofheaders, header, sep, len);
 }
 
+/* define max number of headers. big enough to handle legitimate cases,
+ * but limited to avoid DoS 
+ */
+#define MAX_HEADERS 10000
+
 /*
  * Read all the headers from the stream
  */
@@ -617,6 +622,7 @@ static int get_all_headers (int fd, hashmap_t hashofhe
 {
         char *line = NULL;
         char *header = NULL;
+	int count;
         char *tmp;
         ssize_t linelen;
         ssize_t len = 0;
@@ -625,7 +631,7 @@ static int get_all_headers (int fd, hashmap_t hashofhe
         assert (fd >= 0);
         assert (hashofheaders != NULL);
 
-        for (;;) {
+        for (count = 0; count < MAX_HEADERS; count++) {
                 if ((linelen = readline (fd, &line)) <= 0) {
                         safefree (header);
                         safefree (line);
@@ -691,6 +697,12 @@ static int get_all_headers (int fd, hashmap_t hashofhe
 
                 safefree (line);
         }
+
+	/* if we get there, this is we reached MAX_HEADERS count.
+	   bail out with error */
+	safefree (header);
+	safefree (line);
+	return -1;
 }
 
 /*
