mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-09-21 05:26:20 +02:00
a16902b9d4
In dnsserv_resolved(), we carefully made a nul-terminated copy of the
answer in a PTR RESOLVED cell... then never used that nul-terminated
copy. Ouch.
Surprisingly this one isn't as huge a security problem as it could be.
The only place where the input to dnsserv_resolved wasn't necessarily
nul-terminated was when it was called indirectly from relay.c with the
contents of a relay cell's payload. If the end of the payload was
filled with junk, eventdns.c would take the strdup() of the name [This
part is bad; we might crash there if the cell is in a bad part of the
stack or the heap] and get a name of at least length
495[*]. eventdns.c then rejects any name of length over 255, so the
bogus data would be neither transmitted nor altered.
[*] If the name was less than 495 bytes long, the client wouldn't
actually be reading off the end of the cell.
Nonetheless this is a reasonably annoying bug. Better fix it.
Found while looking at bug 2332, reported by doorss. Bugfix on
0.2.0.1-alpha.
|
||
|---|---|---|
| .. | ||
| annotations_fix | ||
| bug1125 | ||
| bug1141 | ||
| bug1840 | ||
| bug1981 | ||
| bug2050 | ||
| bug2190 | ||
| bug2305 | ||
| bug2313 | ||
| bug2324 | ||
| bug2326 | ||
| bug2328 | ||
| bug2332 | ||
| fix2204 | ||
| gabelmoo-newip | ||
| geoip-dec2010 | ||
| geoip-jan2011 | ||
| geoip-oct2010 | ||
| geoip-sep2010 | ||
| geoip-update-august2010 | ||
| geoip-update-june2010 | ||
| maatuska-new-v3auth | ||
| mingw-openssl098m | ||
| misc-reason | ||
| new-geoip-db | ||
| openbsd-sysheaders | ||
| remove-debian | ||
| remove-website | ||
| security_bug | ||