CVE-2020-8450

A remote client sends a crafted HTTP request with an overly long Host header to a Squid instance configured as a reverse proxy (accelerator mode). The Host header value is copied into a fixed-size stack buffer (`char thost[256]`) without proper bounds checking, causing a buffer overflow. The attacker does not need authentication; they only need network access to the Squid proxy. [ref_id=1] [ref_id=2]

The vulnerability resides in `src/client_side.cc` in the `prepareAcceleratedURL()` and `prepareTransparentURL()` functions. The initial patch introduced a `getHostHeader()` function to validate the Host header, but the character check logic was inverted (`if (hostChars[*c])` instead of `if (!hostChars[*c])`), causing all valid Host headers to be rejected. Additionally, a subsequent patch incorrectly used `>= SQUIDHOSTNAMELEN` instead of `<= SQUIDHOSTNAMELEN` when checking the host length, and the `thost` buffer was fixed at 256 bytes rather than using the proper `SQUIDHOSTNAMELEN` constant.

The fix corrects three issues. First, the character validation in `getHostHeader()` was inverted from `if (hostChars[*c])` to `if (!hostChars[*c])` so that invalid characters are properly rejected. Second, the length check was corrected from `>= SQUIDHOSTNAMELEN` to `<= SQUIDHOSTNAMELEN` so that only Host headers exceeding the maximum allowed length are rejected. Third, the `thost` buffer size was changed from the hardcoded `256` to `SQUIDHOSTNAMELEN + 6` to match the actual maximum hostname length plus port separator and port digits. [ref_id=1]