From 1ed615ded7db0765e8355687bda8b00fdc643e3e Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Wed, 29 Jun 2011 11:45:15 -0400
Subject: [PATCH] Correct byte-counting in socks auth parsing code

---
 src/or/buffers.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/or/buffers.c b/src/or/buffers.c
index 445376f60e..4b8532af09 100644
--- a/src/or/buffers.c
+++ b/src/or/buffers.c
@@ -1648,14 +1648,19 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req,
                  "authentication negotiated. Rejecting.");
         return -1;
       }
+      /* Format is: authversion [1 byte] == 1
+                    usernamelen [1 byte]
+                    username    [usernamelen bytes]
+                    passlen     [1 byte]
+                    password    [passlen bytes] */
       usernamelen = (unsigned char)*(data + 1);
-      if (datalen < 2u + usernamelen) {
-        *want_length_out = 2u+usernamelen;
+      if (datalen < 2u + usernamelen + 1u) {
+        *want_length_out = 2u + usernamelen + 1u;
         return 0;
       }
       passlen = (unsigned char)*(data + 2u + usernamelen);
       if (datalen < 2u + usernamelen + 1u + passlen) {
-        *want_length_out = 2u+usernamelen;
+        *want_length_out = 2u + usernamelen + 1u + passlen;
         return 0;
       }
       req->replylen = 2; /* 2 bytes of response */