Gopher, other than being a glorified rat, is an antiquated protocol described in RFC 1436.
Squid is able to act as a proxy server between HTTP and the Gopher protocol, and can query and retrieve contents from Gopher servers, before sending it to the client in a standard HTML document.
When Squid receives a request to a gopher server, it attempts to connect to the server and parse the response. The response is then placed into a standard HTML response for the user’s browsing. This conversion happens in the function gopherToHTML.
This function does many things, but most of the important code for this bug is as follows:
static void
gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
{
…
char *port = NULL;
…
switch (gopherState->conversion) {
…
case GopherStateData::HTML_INDEX_RESULT:
case GopherStateData::HTML_DIR: {
…
if (host) {
*host = '\0';
++host;
port = strchr(host, TAB);
if (port) {
char *junk;
port[0] = ':';
junk = strchr(host, TAB);
if (junk)
*junk++ = 0; /* Chop port */
else {
junk = strchr(host, '\r');
if (junk)
*junk++ = 0; /* Chop port */
else {
junk = strchr(host, '\n');
if (junk)
*junk++ = 0; /* Chop port */
}
}
if ((port[1] == '0') && (!port[2]))
port[0] = 0; /* 0 means none */
}
…
if ((gtype == GOPHER_TELNET) || (gtype == GOPHER_3270)) {
if (strlen(escaped_selector) != 0)
snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
icon_url, escaped_selector, rfc1738_escape_part(host),
*port ? ":" : "", port, html_quote(name));
else
snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
icon_url, rfc1738_escape_part(host), *port ? ":" : "",
port, html_quote(name));
In layman terms, this means that if the client requests a Gopher page which is a directory or index, all of this code will be executed.
However, if the response portrays itself as GOPHER_TELNET, and no port is parsed in the response, a null pointer dereference of *port will happen in the calls to snprintf().
This is extremely easy to trigger. In order for a server to be identified as GOPHER_TELNET, it simply needs to respond with the number 8 as the first character. In order for the function to believe it is requesting a directory, the request must end in /:
gopher_request_parse(const HttpRequest * req, char *type_id, char *request)
{
::Parser::Tokenizer tok(req->url.path());
if (request)
*request = 0;
tok.skip('/'); // ignore failures? path could be ab-empty
if (tok.atEnd()) {
*type_id = GOPHER_DIRECTORY;
return;
}
}
gopherSendComplete(const Comm::ConnectionPointer &conn, char *, size_t size, Comm::Flag errflag, int xerrno, void *data) {
switch (gopherState->type_id) {
case GOPHER_DIRECTORY:
/* we got to convert it first */
gopherState->conversion = GopherStateData::HTML_DIR;
gopherState->HTML_header_added = 0;
break;
}
Thus, to trigger this bug, a client can send the request:
GET gopher://example.com:1234/\r\n\r\n
while a server located at example.com on port 1234 simply responds with 8\t\t\n.
A Null pointer dereference will cause a crash on most systems.