Kinkie | 14 Feb 10:39 2016

testRock still not working on macOS

Hi all,
  the latest work done on Shm to make it work on MacOS seems to be
working, however it is not still possible to do unit tests, because
the anchors IPC segment created by testRock has too long a filename
(it's "/squid-testRock_Store_map_anchors.shm").

Could we maybe work on shortening the shm segments names
(e.g. reducing Store_map to "sm" or getting rid of the underscores)?


squid-dev mailing list
squid-dev <at>
noc | 12 Feb 14:28 2016

Build failed in Jenkins: trunk-matrix » gcc,d-debian-jessie #541

See <,label=d-debian-jessie/541/>

Started by upstream project "trunk-matrix" build number 541
originally caused by:
 Started by an SCM change
Building remotely on d-debian-jessie (gcc farm 8.2 amd64-Debian buildmaster Debian clang
amd64-Debian-8.2 amd64 Debian-8.2) in workspace <,label=d-debian-jessie/ws/>
[WS-CLEANUP] Deleting project workspace...
Cleaning workspace...
$ bzr branch <,label=d-debian-jessie/ws/>
Branched 14536 revisions.
Getting local revision...
$ bzr revision-info -d <,label=d-debian-jessie/ws/>
info result: bzr revision-info -d
returned 0. Command output: "14536 chtsanti <at>
" stderr: ""
RevisionState revno:14536 revid:chtsanti <at>
[d-debian-jessie] $ /bin/sh -xe /tmp/
+ tests=layer-00-bootstrap layer-00-default layer-01-minimal layer-02-maximus
+ bzr revno
+ echo revno: 14536
revno: 14536
+ CC=gcc
+ CXX=g++
+ [ gcc != icc ]
+ CC=ccache gcc
+ CXX=ccache g++
+ export CC CXX
(Continue reading)

William Lima | 11 Feb 20:39 2016

unhandled exception

Hi all,

What could cause the exception below (src/|334)?

2016/02/11 13:17:24 kid1| FATAL: dying from an unhandled exception: !theConsumer

Thanks in advance,

squid-dev mailing list
squid-dev <at>
Amos Jeffries | 11 Feb 18:20 2016

[PATCH] shuffle SessionCacheRunner to libsecurity

Move the Runner object which manages the SSL session cache into libsecurity.

Unfortunately the OpenSSL session cache callbacks cannot also be moved
due to circular dependency issues. However, when those are resolved by
later libsecurity API additions the callbacks will be much easier to
shift. For now the three symbols shared between the two libraries are
exposed by libsslsquid in the Ssl:: namespace.

Cache initialization is now moved into the Runner. Binding its state
initialization more tightly to the memory allocation and initialization.
Which also removes the need for explicit dependency.

One issue was uncovered during this:

* While ssl/support.h was defining a destruct_session_cache() function
that appeared to release the cache memory, it was not actually being
used anywhere. Which unless a fortuitous sequence of events is happening
means that OpenSSL locks we create for the cache entries may not be
released properly. On the other hand the cache should only be erased on
shutdown so the effects of this are minor.

The unused function has been removed and the issue is now expicitly
noted in the Runner shutdown handling method.

=== modified file 'src/'
--- src/	2016-02-01 11:52:03 +0000
+++ src/	2016-02-11 15:39:37 +0000
(Continue reading)

Christos Tsantilas | 11 Feb 17:06 2016

[PATCH] Cert Validation memory leaks

This patch fixes one problem discussed under the
"[squid-dev] NotePairs, SSL and Cert Validation memory leaks"
mail thread

I am reposting here because there was many changes on latest trunk code 
so the initial patch did not worked.

This patch changes the Security::SessionPointer to be a LockingPointer. 
Locking pointers tested and looks that they works ok.

I did not implement into this patch the Locking pointer for GnuTLS, my 
understanding is that the GnuTLS is not really implemented , just a 
preliminary work done for future implementation.

I hope it is OK.
squid-dev mailing list
squid-dev <at>
Dave Lewthwaite | 10 Feb 15:49 2016

[PATCH] Include intermediate certs to client when using peek/stare


Please find attached a modified patch generated by the bzr process (it seems this is a little different to
using plain old diff).

Code has passed all tests ( and formatting checks (

Fix is to make sure that intermediate certificates for certificates generated by squid during SSL bump are
included when sent to the user agent. Previously when performing peek or stare intermediate
certificates were not included. This addresses this bug specifically:


Dave Lewthwaite
Infrastructure Systems Architect, RealityMine

E: davel <at> | M: +44 (0) 7919 100 358 | W:
<> | T:  +44 (0) 161 414 0707

Attachment (send-intermediate-certs-t2.diff): application/octet-stream, 3936 bytes
squid-dev mailing list
squid-dev <at>
(Continue reading)

noc | 10 Feb 11:06 2016

Build failed in Jenkins: trunk-polygraph #945

See <>

Started by upstream project "trunk-matrix" build number 537
originally caused by:
 Started by an SCM change
Building remotely on polygraph (12.04 amd64-Ubuntu Ubuntu amd64-Ubuntu-12.04 Ubuntu-12.04 amd64) in
workspace <>
$ bzr revision-info -d <>
info result: bzr revision-info -d <>
returned 0. Command output: "14532 squid3 <at>
" stderr: ""
[trunk-polygraph] $ bzr update
 M  ChangeLog
 M  doc/release-notes/release-4.sgml
 M  src/security/
All changes applied successfully.
Updated to revision 14532 of branch
[trunk-polygraph] $ bzr switch
Tree is up to date at revision 14532.
Switched to branch:
[trunk-polygraph] $ bzr revert
$ bzr revision-info -d <>
info result: bzr revision-info -d <>
returned 0. Command output: "14532 squid3 <at>
" stderr: ""
[trunk-polygraph] $ bzr log -v -r
revid:squid3 <at> <at>
--long --show-ids
(Continue reading)

Yuriy M. Kaminskiy | 9 Feb 18:25 2016

[PATCH] snprintf result used without validating its range

In several cases, snprintf result was used without validating its range.

When formatted string would overflow buffer or error happens, snprintf
will return either value larger than buffer size, or -1. In both cases,
if you add this value to pointer (or similar), bad things will happen.

Pattern to watch for: =.*snprintf

I have not verified if any of this is exploitable. In some cases, I was
not sure about proper error handling (watch for XXX comments).

While fixing this error, I noticed typo in Ip::Qos::Config::dumpConfigLine:
markMissMask was used instead of tosMissMask.

Patches compile-tested (however, only on linux/x86/gcc49 and in default

squid-dev mailing list
squid-dev <at>
Christos Tsantilas | 9 Feb 17:53 2016

Security::SessionPointer and Security::LockingPointer

Hi all,

The short question:
The Security::SessionPointer is a TidyPointer. Is it acceptable to 
convert it to a LockingPointer?

My sense is that the GnuTLS does not support locking pointers?
However I have an idea about how we can add locking support for 
gnutls_session_t if required.

   The Security::SessionPointer is the old Ssl::SSL_Pointer and used to 
be a TidiPointer.
However while fixing the memory leak bug reported and analysed under the 
"[squid-dev] NotePairs, SSL and Cert Validation memory leaks" mail 
thread, I made a patch which converted this pointer to a LockingPointer.

If we can not convert it to locking pointer I need to reimplement the 
patch. However using a locking pointer for SSL may help us in many other 
cases too.

squid-dev mailing list
squid-dev <at>
Amos Jeffries | 8 Feb 21:41 2016

[PATCH] convenience library renaming

I have been trying to automate graphing of the Squid internal
dependencies. One of the major issues that has encountered is that some
of our convenience libraries use the '-' hyphen character which is a
reserved character in DOT graph format.

To make the scripts much simpler and the visual output reflect exactly
what the library names this patch cleans up the library names to follow
our pre-existing policy, and now also to remove punctuation from the
library names.

=== modified file 'compat/'
--- compat/	2016-01-01 00:12:18 +0000
+++ compat/	2016-02-08 12:09:32 +0000
 <at>  <at>  -14,8 +14,8  <at>  <at> 

 # Port Specific Configurations

-libcompat_squid_la_SOURCES = \
+libcompatsquid_la_SOURCES = \ \
 	assert.h \
 	cmsg.h \
 <at>  <at>  -86,7 +86,7  <at>  <at> 
 	os/solaris.h \
(Continue reading)

Amos Jeffries | 8 Feb 19:18 2016

[PATCH] SBuf const iterator fixes

The SBufIterator is mostly actually a const iterator. But not quite.

The point of difference from const_iterator is the operator*() API which
is also different from the normal itertor API in that is returns a char
instead of a char& or const char &.

The attached patch fixes that API making the iterator equivalent to
const_iterator for the subset of iterator API that it does present.

This has side effects on the reverse iterator and SBuf begin/end
methods. Which are also const'ified.

There appears to be no built-time or unit test identified problems from
this change. IT passes the build farm QA easily.

Are there any objections to fast-tracking this merge? If not I hope to
apply this in the next day or two.

=== modified file 'src/SBuf.h'
--- src/SBuf.h	2016-01-01 00:12:18 +0000
+++ src/SBuf.h	2016-02-08 11:08:07 +0000
 <at>  <at>  -83,7 +83,7  <at>  <at> 
 class CharacterSet;
 class SBuf;

-/** Forward input iterator for SBufs
+/** Forward input const_iterator for SBufs
(Continue reading)