From d5a95e1ea1993027e2aad834586f7ab51b741800 Mon Sep 17 00:00:00 2001 From: junglefowl Date: Tue, 24 Jan 2017 18:40:01 +0000 Subject: [PATCH] Do not truncate too long hostnames If a hostname is supplied to tor-resolve which is too long, it will be silently truncated, resulting in a different hostname lookup: $ tor-resolve $(python -c 'print("google.com" + "m" * 256)') If tor-resolve uses SOCKS5, the length is stored in an unsigned char, which overflows in this case and leads to the hostname "google.com". As this one is a valid hostname, it returns an address instead of giving an error due to the invalid supplied hostname. --- src/tools/tor-resolve.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/tools/tor-resolve.c b/src/tools/tor-resolve.c index 29f85c4d17..6ac866d3c0 100644 --- a/src/tools/tor-resolve.c +++ b/src/tools/tor-resolve.c @@ -80,6 +80,10 @@ build_socks_resolve_request(char **out, } ipv6 = reverse && tor_addr_family(&addr) == AF_INET6; addrlen = reverse ? (ipv6 ? 16 : 4) : 1 + strlen(hostname); + if (addrlen > UINT8_MAX) { + log_err(LD_GENERAL, "Hostname is too long!"); + return -1; + } len = 6 + addrlen; *out = tor_malloc(len); (*out)[0] = 5; /* SOCKS version 5 */