Summary

squid proxys ICAP adaptation is missing data flow control to client side. Thus
blocking
clients may cause a denial of service condition when requesting huge
downloads.

Affected Versions

All squid 3.x versions

Not vulnerable

None of phions HTTP proxy services (in any version) is affected.

Details

squids ICAP adaptation implementation does not check body-pipes buffer size
before reading from an ICAP-server.

If the client does not read from the open connection (i.e. the user does not
confirm the browsers download-message-box in microsofts IE), squid keeps on
reading data from the ICAP server into the body pipe, whilst no more data
can be delivered to the client.
Thus the body pipes buffer is growing and squid may - in worst case - consume
memory up to the size of the users download.
Details can be found on http://www.squid-cache.org/bugs/show_bug.cgi?id=2619

Workarounds

None except disabling content adaptation via ICAP.

–
Martin Huter
Unit Manager
Release Manager
phion AG
Eduard-Bodem-Gasse 1
A-6020 Innsbruck

Tel: +43 (0) 508 100
Fax: +43 (0) 508 100 20
Mail: [email protected]
Web: http://www.phion.com

phion AG
Vorsitzender des Aufsichtsrates: Dr. Karl Lamprecht
Vorstand: Dr. Wieland Alge, Mag. Gunter Klausner
Sitz der Gesellschaft: 6020 Innsbruck, Osterreich
Handelsgericht Innsbruck Firmenbuch: 184392s
UID-Nr:: ATU47509003