nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-27 22:03:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Avoid a use-after-null-check in proto_socks.c

Browse Source 
Coverity rightly complains that early in the function we're checking
whether username is NULL, and later we're passing it unconditionally
to strlen().

Fixes CID 1437967.  Bug not in any released Tor.
This commit is contained in:
Nick Mathewson 2018-07-16 07:51:11 -04:00
parent ef234ba303
commit 8505522e50
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/core/proto/proto_socks.c
View File

@ -166,7 +166,7 @@ parse_socks4_request(const uint8_t *raw_data, socks_request_t *req,
*is_socks4a = (dest_ip >> 8) == 0;
const char *username = socks4_client_request_get_username(trunnel_req);
size_t usernamelen = username ? strlen(username) : 0;
const size_t usernamelen = username ? strlen(username) : 0;
if (username && usernamelen) {
if (usernamelen > MAX_SOCKS_MESSAGE_LEN) {
log_warn(LD_APP, "Socks4 user name too long; rejecting.");
@ -184,7 +184,7 @@ parse_socks4_request(const uint8_t *raw_data, socks_request_t *req,
// We cannot rely on trunnel here, as we want to detect if
// we have abnormally long hostname field.
const char *hostname = (char *)raw_data + SOCKS4_NETWORK_LEN +
strlen(username) + 1;
usernamelen + 1;
size_t hostname_len = (char *)raw_data + datalen - hostname;
if (hostname_len <= sizeof(req->address)) {