From e7354725bb04783531fc5cbdf6413515798b236f Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Tue, 17 May 2005 20:00:24 +0000
Subject: [PATCH] Handle relay cells with rh.length too large.

svn:r4264
---
 src/or/relay.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/or/relay.c b/src/or/relay.c
index 32e8f6b8f4..8732c658ce 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -779,6 +779,11 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
   num_seen++;
   log_fn(LOG_DEBUG,"Now seen %d relay cells here.", num_seen);
 
+  if (rh.length > RELAY_PAYLOAD_SIZE) {
+    log_fn(LOG_WARN, "Relay cell length field too long. Closing circuit.");
+    return -1;
+  }
+
   /* either conn is NULL, in which case we've got a control cell, or else
    * conn points to the recognized stream. */