nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-27 22:03:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Check answer_len in the remap_addr case of process_relay_cell_not_open.

Browse Source 
Fix an edge case where a malicious exit relay could convince a
controller that the client's DNS question resolves to an internal IP
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
This commit is contained in:
Roger Dingledine 2009-06-12 11:18:02 -04:00 committed by Nick Mathewson
parent 77f5ad6b07
commit cb1617f18e
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -1,4 +1,9 @@
Changes in version 0.2.2.1-alpha - 2009-??-?? Changes in version 0.2.2.1-alpha - 2009-??-??
o Security fixes:
- Fix an edge case where a malicious exit relay could convince a
controller that the client's DNS question resolves to an internal IP
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
o Major features: o Major features:
- Add support for dynamic OpenSSL hardware crypto acceleration engines - Add support for dynamic OpenSSL hardware crypto acceleration engines
via new AccelName and AccelDir options. via new AccelName and AccelDir options.

2
src/or/relay.c
View File

@ -947,7 +947,7 @@ connection_edge_process_relay_cell_not_open(
cell->payload+RELAY_HEADER_SIZE+2, /*answer*/ cell->payload+RELAY_HEADER_SIZE+2, /*answer*/
ttl, ttl,
-1); -1);
if (answer_type == RESOLVED_TYPE_IPV4) { if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) {
uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2)); uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2));
remap_event_helper(conn, addr); remap_event_helper(conn, addr);
} }