Check answer_len in the remap_addr case of process_relay_cell_not_open.

Fix an edge case where a malicious exit relay could convince a
controller that the client's DNS question resolves to an internal IP
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
This commit is contained in:
Roger Dingledine 2009-06-12 11:18:02 -04:00 committed by Nick Mathewson
parent 77f5ad6b07
commit cb1617f18e
2 changed files with 6 additions and 1 deletions

View File

@ -1,4 +1,9 @@
Changes in version 0.2.2.1-alpha - 2009-??-??
o Security fixes:
- Fix an edge case where a malicious exit relay could convince a
controller that the client's DNS question resolves to an internal IP
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
o Major features:
- Add support for dynamic OpenSSL hardware crypto acceleration engines
via new AccelName and AccelDir options.

View File

@ -947,7 +947,7 @@ connection_edge_process_relay_cell_not_open(
cell->payload+RELAY_HEADER_SIZE+2, /*answer*/
ttl,
-1);
if (answer_type == RESOLVED_TYPE_IPV4) {
if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) {
uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2));
remap_event_helper(conn, addr);
}