From c4920a60c6af935cc347fe3436dd7ff62a9e380d Mon Sep 17 00:00:00 2001 From: junglefowl Date: Tue, 24 Jan 2017 18:40:01 +0000 Subject: [PATCH 1/2] Do not truncate too long hostnames If a hostname is supplied to tor-resolve which is too long, it will be silently truncated, resulting in a different hostname lookup: $ tor-resolve $(python -c 'print("google.com" + "m" * 256)') If tor-resolve uses SOCKS5, the length is stored in an unsigned char, which overflows in this case and leads to the hostname "google.com". As this one is a valid hostname, it returns an address instead of giving an error due to the invalid supplied hostname. --- src/tools/tor-resolve.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/tools/tor-resolve.c b/src/tools/tor-resolve.c index 29f85c4d17..6ac866d3c0 100644 --- a/src/tools/tor-resolve.c +++ b/src/tools/tor-resolve.c @@ -80,6 +80,10 @@ build_socks_resolve_request(char **out, } ipv6 = reverse && tor_addr_family(&addr) == AF_INET6; addrlen = reverse ? (ipv6 ? 16 : 4) : 1 + strlen(hostname); + if (addrlen > UINT8_MAX) { + log_err(LD_GENERAL, "Hostname is too long!"); + return -1; + } len = 6 + addrlen; *out = tor_malloc(len); (*out)[0] = 5; /* SOCKS version 5 */ From a271ad2a7efed53c42bc84b0f781a6603bd494fc Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 25 Jan 2017 13:15:37 -0500 Subject: [PATCH 2/2] changes file for 21280 --- changes/bug21280 | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changes/bug21280 diff --git a/changes/bug21280 b/changes/bug21280 new file mode 100644 index 0000000000..e9f0bc174c --- /dev/null +++ b/changes/bug21280 @@ -0,0 +1,5 @@ + o Minor bugfixes (tor-resolve): + - The tor-resolve command line tool now rejects hostnames over 255 + characters in length. Previously, it would silently truncate + them, which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5. + Patch by "junglefowl".