Check answer_len in the remap_addr case of process_relay_cell_not_open.

Fix an edge case where a malicious exit relay could convince a controller that the client's DNS question resolves to an internal IP address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
2024-11-23 20:03:31 +01:00 · 2009-06-12 11:18:02 -04:00 · 2009-06-12 11:18:02 -04:00 · cb1617f18e
commit cb1617f18e
parent 77f5ad6b07
2 changed files with 6 additions and 1 deletions
--- a/5
+++ b/5
@ -1,4 +1,9 @@
 Changes in version 0.2.2.1-alpha - 2009-??-??
+  o Security fixes:
+    - Fix an edge case where a malicious exit relay could convince a
+      controller that the client's DNS question resolves to an internal IP
+      address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
+
  o Major features:
    - Add support for dynamic OpenSSL hardware crypto acceleration engines
      via new AccelName and AccelDir options.
--- a/src/or/relay.c
+++ b/src/or/relay.c
@ -947,7 +947,7 @@ connection_edge_process_relay_cell_not_open(
                   cell->payload+RELAY_HEADER_SIZE+2, /*answer*/
                   ttl,
                   -1);
-    if (answer_type == RESOLVED_TYPE_IPV4) {
+    if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) {
      uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2));
      remap_event_helper(conn, addr);
    }