microsoft
diff --git a/‎SPECS/squid/CVE-2026-32748.patch‎
Lines changed: 187 additions & 0 deletions b/‎SPECS/squid/CVE-2026-32748.patch‎
Lines changed: 187 additions & 0 deletions
diff --git a/‎SPECS/squid/CVE-2026-33515.patch‎
Lines changed: 194 additions & 0 deletions b/‎SPECS/squid/CVE-2026-33515.patch‎
Lines changed: 194 additions & 0 deletions
@@ -0,0 +1,187 @@
+From 5f0c2824f9ca58066fefeff6faf6056a47ef63b8 Mon Sep 17 00:00:00 2001
+From: Alex Rousskov <rousskov@measurement-factory.com>
+Date: Wed, 18 Feb 2026 21:13:26 +0000
+Subject: [PATCH] ICP: Fix HttpRequest lifetime for ICP v3 queries (#2377)
+
+ACLFilledChecklist correctly locks and unlocks HttpRequest. Thus, when
+given an unlocked request object, an on-stack checklist destroys it.
+Upon icpAccessAllowed() return, Squid uses the destroyed request object.
+
+This bug was probably introduced in 2003 commit 8000a965 that started
+automatically unlocking requests in ACLChecklist destructor. However,
+the bug did not affect allowed ICP v3 queries until 2007 commit f72fb56b
+started _using_ the request object for them. 2005 commit 319bf5a7 fixed
+an equivalent ICP v2 bug for denied queries but missed the ICP v3 case.
+
+The scope, age, and effect of this bug imply that Squid v3+ deployments
+receive no ICP v3 queries since 2007 (or earlier). Squid itself does not
+send ICP v3 messages, responding with ICP v2 replies to ICP v3 queries.
+TODO: Consider dropping ICP v3 support.
+
+Also moved icpAccessAllowed() inside icpGetRequest() to deduplicate code
+and reduce the risk of allowing a request without consulting icp_access.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/squid-cache/squid/commit/703e07d25ca6fa11f52d20bf0bb879e22ab7481b.patch
+
+---
+ src/ICP.h             |  5 +----
+ src/icp_v2.cc         | 34 ++++++++++++++++------------------
+ src/icp_v3.cc         | 10 ++--------
+ src/tests/stub_icp.cc |  4 ++--
+ 4 files changed, 21 insertions(+), 32 deletions(-)
+
+diff --git a/src/ICP.h b/src/ICP.h
+index 0ead0dc..6425270 100644
+--- a/src/ICP.h
++++ b/src/ICP.h
+@@ -90,10 +90,7 @@ extern Comm::ConnectionPointer icpOutgoingConn;
+ extern Ip::Address theIcpPublicHostID;
+ 
+ /// \ingroup ServerProtocolICPAPI
+-HttpRequest* icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from);
+-
+-/// \ingroup ServerProtocolICPAPI
+-bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request);
++HttpRequestPointer icpGetRequest(const char *url, int reqnum, int fd, const Ip::Address &from);
+ 
+ /// \ingroup ServerProtocolICPAPI
+ void icpCreateAndSend(icp_opcode, int flags, char const *url, int reqnum, int pad, int fd, const Ip::Address &from, AccessLogEntryPointer);
+diff --git a/src/icp_v2.cc b/src/icp_v2.cc
+index c0c3846..6e88d3a 100644
+--- a/src/icp_v2.cc
++++ b/src/icp_v2.cc
+@@ -440,8 +440,9 @@ icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd)
+     }
+ }
+ 
+-bool
+-icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request)
++/// icpGetRequest() helper that determines whether squid.conf allows the given ICP query
++static bool
++icpAccessAllowed(const Ip::Address &from, HttpRequest * icp_request)
+ {
+     /* absent any explicit rules, we deny all */
+     if (!Config.accessList.icp)
+@@ -453,8 +454,8 @@ icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request)
+     return checklist.fastCheck().allowed();
+ }
+ 
+-HttpRequest *
+-icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from)
++HttpRequest::Pointer
++icpGetRequest(const char * const url, const int reqnum, const int fd, const Ip::Address &from)
+ {
+     if (strpbrk(url, w_space)) {
+         url = rfc1738_escape(url);
+@@ -463,12 +464,17 @@ icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from)
+     }
+ 
+     const auto mx = MasterXaction::MakePortless<XactionInitiator::initIcp>();
+-    auto *result = HttpRequest::FromUrlXXX(url, mx);
+-    if (!result)
+-        icpCreateAndSend(ICP_ERR, 0, url, reqnum, 0, fd, from, nullptr);
++    if (const HttpRequest::Pointer request = HttpRequest::FromUrlXXX(url, mx)) {
++        if (!icpAccessAllowed(from, request.getRaw())) {
++            icpDenyAccess(from, url, reqnum, fd);
++            return nullptr;
++        }
+ 
+-    return result;
++        return request;
++    }
+ 
++    icpCreateAndSend(ICP_ERR, 0, url, reqnum, 0, fd, from, nullptr);
++    return nullptr;
+ }
+ 
+ static void
+@@ -479,18 +485,12 @@ doV2Query(int fd, Ip::Address &from, char *buf, icp_common_t header)
+     uint32_t flags = 0;
+     /* We have a valid packet */
+     char *url = buf + sizeof(icp_common_t) + sizeof(uint32_t);
+-    HttpRequest *icp_request = icpGetRequest(url, header.reqnum, fd, from);
++    const auto icp_request = icpGetRequest(url, header.reqnum, fd, from);
+ 
+     if (!icp_request)
+         return;
+ 
+-    HTTPMSGLOCK(icp_request);
+ 
+-    if (!icpAccessAllowed(from, icp_request)) {
+-        icpDenyAccess(from, url, header.reqnum, fd);
+-        HTTPMSGUNLOCK(icp_request);
+-        return;
+-    }
+ #if USE_ICMP
+     if (header.flags & ICP_FLAG_SRC_RTT) {
+         rtt = netdbHostRtt(icp_request->url.host());
+@@ -503,7 +503,7 @@ doV2Query(int fd, Ip::Address &from, char *buf, icp_common_t header)
+ #endif /* USE_ICMP */
+ 
+     /* The peer is allowed to use this cache */
+-    ICP2State state(header, icp_request);
++    ICP2State state(header, icp_request.getRaw());
+     state.fd = fd;
+     state.from = from;
+     state.url = xstrdup(url);
+@@ -532,8 +532,6 @@ doV2Query(int fd, Ip::Address &from, char *buf, icp_common_t header)
+     }
+ 
+     icpCreateAndSend(codeToSend, flags, url, header.reqnum, src_rtt, fd, from, state.al);
+-
+-    HTTPMSGUNLOCK(icp_request);
+ }
+ 
+ void
+diff --git a/src/icp_v3.cc b/src/icp_v3.cc
+index 9c57aa7..2054a41 100644
+--- a/src/icp_v3.cc
++++ b/src/icp_v3.cc
+@@ -36,19 +36,13 @@ doV3Query(int fd, Ip::Address &from, char *buf, icp_common_t header)
+ {
+     /* We have a valid packet */
+     char *url = buf + sizeof(icp_common_t) + sizeof(uint32_t);
+-    HttpRequest *icp_request = icpGetRequest(url, header.reqnum, fd, from);
++    const auto icp_request = icpGetRequest(url, header.reqnum, fd, from);
+ 
+     if (!icp_request)
+         return;
+ 
+-    if (!icpAccessAllowed(from, icp_request)) {
+-        icpDenyAccess (from, url, header.reqnum, fd);
+-        delete icp_request;
+-        return;
+-    }
+-
+     /* The peer is allowed to use this cache */
+-    ICP3State state(header, icp_request);
++    ICP3State state(header, icp_request.getRaw());
+     state.fd = fd;
+     state.from = from;
+     state.url = xstrdup(url);
+diff --git a/src/tests/stub_icp.cc b/src/tests/stub_icp.cc
+index 155ee29..6ffde0b 100644
+--- a/src/tests/stub_icp.cc
++++ b/src/tests/stub_icp.cc
+@@ -9,6 +9,7 @@
+ #include "squid.h"
+ #include "AccessLogEntry.h"
+ #include "comm/Connection.h"
++#include "HttpRequest.h"
+ #include "ICP.h"
+ 
+ #define STUB_API "icp_*.cc"
+@@ -29,8 +30,7 @@ Comm::ConnectionPointer icpIncomingConn;
+ Comm::ConnectionPointer icpOutgoingConn;
+ Ip::Address theIcpPublicHostID;
+ 
+-HttpRequest* icpGetRequest(char *, int, int, Ip::Address &) STUB_RETVAL(nullptr)
+-bool icpAccessAllowed(Ip::Address &, HttpRequest *) STUB_RETVAL(false)
++HttpRequestPointer icpGetRequest(const char *, int, int, const Ip::Address &) STUB_RETVAL(HttpRequestPointer());
+ void icpCreateAndSend(icp_opcode, int, char const *, int, int, int, const Ip::Address &, AccessLogEntryPointer) STUB
+ icp_opcode icpGetCommonOpcode() STUB_RETVAL(ICP_INVALID)
+ void icpDenyAccess(Ip::Address &, char *, int, int) STUB
+-- 
+2.43.0
+
@@ -0,0 +1,194 @@
+From 45a800839f475ecfff29b61516f7e112bd04aa28 Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <MegaManSec@users.noreply.github.com>
+Date: Thu, 12 Feb 2026 20:28:43 +0000
+Subject: [PATCH] ICP: Fix validation of packet sizes and URLs (#2220)
+
+Fix handling of malformed ICP queries and replies instead of passing
+invalid URL pointer to consumers, leading to out-of-bounds memory reads
+and other problems. These fixes affect both ICP v2 and ICP v3 traffic.
+
+* Reject packets with URLs that are not NUL-terminated.
+* Reject packets with URLs containing embedded NULs or trailing garbage.
+
+The above two restrictions may backfire if popular ICP agents do send
+such malformed URLs, and we will need to do more to handle them
+correctly, but it is _safe_ to reject them for now.
+
+Also protect icpHandleUdp() from dereferencing a nil icpOutgoingConn
+pointer. It is not clear whether icpHandleUdp() can be exposed to nil
+icpOutgoingConn in current code. More work is needed to polish this.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165.patch
+
+---
+ src/ICP.h             |  6 ++++-
+ src/icp_v2.cc         | 55 ++++++++++++++++++++++++++++++++++++++-----
+ src/icp_v3.cc         | 10 +++++---
+ src/tests/stub_icp.cc |  3 ++-
+ 4 files changed, 63 insertions(+), 11 deletions(-)
+
+diff --git a/src/ICP.h b/src/ICP.h
+index 6425270..88f5632 100644
+--- a/src/ICP.h
++++ b/src/ICP.h
+@@ -89,6 +89,10 @@ extern Comm::ConnectionPointer icpIncomingConn;
+ extern Comm::ConnectionPointer icpOutgoingConn;
+ extern Ip::Address theIcpPublicHostID;
+ 
++/// A URI extracted from the given raw packet buffer.
++/// On errors, details the problem and returns nil.
++const char *icpGetUrl(const Ip::Address &from, const char *, const icp_common_t &);
++
+ /// \ingroup ServerProtocolICPAPI
+ HttpRequestPointer icpGetRequest(const char *url, int reqnum, int fd, const Ip::Address &from);
+ 
+@@ -99,7 +103,7 @@ void icpCreateAndSend(icp_opcode, int flags, char const *url, int reqnum, int pa
+ icp_opcode icpGetCommonOpcode();
+ 
+ /// \ingroup ServerProtocolICPAPI
+-void icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd);
++void icpDenyAccess(const Ip::Address &from, const char *url, int reqnum, int fd);
+ 
+ /// \ingroup ServerProtocolICPAPI
+ PF icpHandleUdp;
+diff --git a/src/icp_v2.cc b/src/icp_v2.cc
+index 6e88d3a..0c71096 100644
+--- a/src/icp_v2.cc
++++ b/src/icp_v2.cc
+@@ -425,7 +425,7 @@ icpCreateAndSend(icp_opcode opcode, int flags, char const *url, int reqnum, int
+ }
+ 
+ void
+-icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd)
++icpDenyAccess(const Ip::Address &from, const char * const url, const int reqnum, const int fd)
+ {
+     debugs(12, 2, "icpDenyAccess: Access Denied for " << from << " by " << AclMatchedName << ".");
+ 
+@@ -454,6 +454,39 @@ icpAccessAllowed(const Ip::Address &from, HttpRequest * icp_request)
+     return checklist.fastCheck().allowed();
+ }
+ 
++const char *
++icpGetUrl(const Ip::Address &from, const char * const buf, const icp_common_t &header)
++{
++    const auto receivedPacketSize = static_cast<size_t>(header.length);
++    const auto payloadOffset = sizeof(header);
++
++    // Query payload contains a "Requester Host Address" followed by a URL.
++    // Payload of other ICP packets (with opcode that we recognize) is a URL.
++    const auto urlOffset = payloadOffset + ((header.opcode == ICP_QUERY) ? sizeof(uint32_t) : 0);
++
++    // A URL field cannot be empty because it includes a terminating NUL char.
++    // Ensure that the packet has at least one URL field byte.
++    if (urlOffset >= receivedPacketSize) {
++        debugs(12, 3, "too small packet from " << from << ": " << urlOffset << " >= " << receivedPacketSize);
++        return nullptr;
++    }
++
++    // All ICP packets (with opcode that we recognize) _end_ with a URL field.
++    // RFC 2186 requires all URLs to be "Null-Terminated".
++    if (buf[receivedPacketSize - 1] != '\0') {
++        debugs(12, 3, "unterminated URL or trailing garbage from " << from);
++        return nullptr;
++    }
++
++    const auto url = buf + urlOffset; // a possibly empty c-string
++    if (urlOffset + strlen(url) + 1 != receivedPacketSize) {
++        debugs(12, 3, "URL with an embedded NUL or trailing garbage from " << from);
++        return nullptr;
++    }
++
++    return url;
++}
++
+ HttpRequest::Pointer
+ icpGetRequest(const char * const url, const int reqnum, const int fd, const Ip::Address &from)
+ {
+@@ -478,13 +511,18 @@ icpGetRequest(const char * const url, const int reqnum, const int fd, const Ip::
+ }
+ 
+ static void
+-doV2Query(int fd, Ip::Address &from, char *buf, icp_common_t header)
++doV2Query(const int fd, Ip::Address &from, const char * const buf, icp_common_t header)
+ {
+     int rtt = 0;
+     int src_rtt = 0;
+     uint32_t flags = 0;
+-    /* We have a valid packet */
+-    char *url = buf + sizeof(icp_common_t) + sizeof(uint32_t);
++
++    const auto url = icpGetUrl(from, buf, header);
++    if (!url) {
++        icpCreateAndSend(ICP_ERR, 0, "", header.reqnum, 0, fd, from, nullptr);
++        return;
++    }
++
+     const auto icp_request = icpGetRequest(url, header.reqnum, fd, from);
+ 
+     if (!icp_request)
+@@ -543,7 +581,9 @@ icp_common_t::handleReply(char *buf, Ip::Address &from)
+         neighbors_do_private_keys = 0;
+     }
+ 
+-    char *url = buf + sizeof(icp_common_t);
++    const auto url = icpGetUrl(from, buf, *this);
++    if (!url)
++        return;
+     debugs(12, 3, "icpHandleIcpV2: " << icp_opcode_str[opcode] << " from " << from << " for '" << url << "'");
+ 
+     const cache_key *key = icpGetCacheKey(url, (int) reqnum);
+@@ -678,7 +718,10 @@ icpHandleUdp(int sock, void *)
+ 
+         icp_version = (int) buf[1]; /* cheat! */
+ 
+-        if (icpOutgoingConn->local == from)
++        // XXX: The IP equality comparison below ignores port differences but
++        // should not. It also fails to detect loops when `local` is a wildcard
++        // address (e.g., [::]:3130) because `from` address is never a wildcard.
++        if (icpOutgoingConn && icpOutgoingConn->local == from)
+             // ignore ICP packets which loop back (multicast usually)
+             debugs(12, 4, "icpHandleUdp: Ignoring UDP packet sent by myself");
+         else if (icp_version == ICP_VERSION_2)
+diff --git a/src/icp_v3.cc b/src/icp_v3.cc
+index 2054a41..e3cf041 100644
+--- a/src/icp_v3.cc
++++ b/src/icp_v3.cc
+@@ -32,10 +32,14 @@ public:
+ 
+ /// \ingroup ServerProtocolICPInternal3
+ static void
+-doV3Query(int fd, Ip::Address &from, char *buf, icp_common_t header)
++doV3Query(int fd, Ip::Address &from, const char * const buf, icp_common_t header)
+ {
+-    /* We have a valid packet */
+-    char *url = buf + sizeof(icp_common_t) + sizeof(uint32_t);
++    const auto url = icpGetUrl(from, buf, header);
++    if (!url) {
++        icpCreateAndSend(ICP_ERR, 0, "", header.reqnum, 0, fd, from, nullptr);
++        return;
++    }
++
+     const auto icp_request = icpGetRequest(url, header.reqnum, fd, from);
+ 
+     if (!icp_request)
+diff --git a/src/tests/stub_icp.cc b/src/tests/stub_icp.cc
+index 6ffde0b..ccee1ac 100644
+--- a/src/tests/stub_icp.cc
++++ b/src/tests/stub_icp.cc
+@@ -30,10 +30,11 @@ Comm::ConnectionPointer icpIncomingConn;
+ Comm::ConnectionPointer icpOutgoingConn;
+ Ip::Address theIcpPublicHostID;
+ 
++const char *icpGetUrl(const Ip::Address &, const char *, const icp_common_t &) STUB_RETVAL(nullptr)
+ HttpRequestPointer icpGetRequest(const char *, int, int, const Ip::Address &) STUB_RETVAL(HttpRequestPointer());
+ void icpCreateAndSend(icp_opcode, int, char const *, int, int, int, const Ip::Address &, AccessLogEntryPointer) STUB
+ icp_opcode icpGetCommonOpcode() STUB_RETVAL(ICP_INVALID)
+-void icpDenyAccess(Ip::Address &, char *, int, int) STUB
++void icpDenyAccess(const Ip::Address &, const char *, int, int) STUB
+ void icpHandleIcpV3(int, Ip::Address &, char *, int) STUB
+ void icpConnectionShutdown(void) STUB
+ int icpSetCacheKey(const cache_key *) STUB_RETVAL(0)
+-- 
+2.43.0
+