Check answer_len in the remap_addr case of process_relay_cell_not_open.

Fix an edge case where a malicious exit relay could convince a controller that the client's DNS question resolves to an internal IP address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
2024-11-10 05:03:43 +01:00 · 2009-06-12 11:18:02 -04:00 · 2009-06-12 11:18:02 -04:00 · 845326317d
commit 845326317d
parent c50098ffc5
2 changed files with 6 additions and 1 deletions
--- a/5
+++ b/5
@ -1,4 +1,9 @@
 Changes in version 0.2.1.16-?? - 2009-??-??
+  o Security fixes:
+    - Fix an edge case where a malicious exit relay could convince a
+      controller that the client's DNS question resolves to an internal IP
+      address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
+
  o Major performance improvements (on 0.2.0.x):
    - Disable and refactor some debugging checks that forced a linear scan
      over the whole server-side DNS cache.  These accounted for over 50%
--- a/src/or/relay.c
+++ b/src/or/relay.c
@ -947,7 +947,7 @@ connection_edge_process_relay_cell_not_open(
                   cell->payload+RELAY_HEADER_SIZE+2, /*answer*/
                   ttl,
                   -1);
-    if (answer_type == RESOLVED_TYPE_IPV4) {
+    if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) {
      uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2));
      remap_event_helper(conn, addr);
    }