Check answer_len in the remap_addr case of process_relay_cell_not_open.
Fix an edge case where a malicious exit relay could convince a controller that the client's DNS question resolves to an internal IP address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
This commit is contained in:
parent
bd0eaa0022
commit
3a5259ef68
|
@ -2,6 +2,9 @@ Changes in version 0.2.0.35 - 2009-??-??
|
|||
o Security fix:
|
||||
- Avoid crashing in the presence of certain malformed descriptors.
|
||||
Found by lark, and by automated fuzzing.
|
||||
- Fix an edge case where a malicious exit relay could convince a
|
||||
controller that the client's DNS question resolves to an internal IP
|
||||
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta
|
||||
|
||||
o Major bugfixes:
|
||||
- Finally fix the bug where dynamic-IP relays disappear when their
|
||||
|
|
|
@ -993,7 +993,7 @@ connection_edge_process_relay_cell_not_open(
|
|||
cell->payload+RELAY_HEADER_SIZE+2, /*answer*/
|
||||
ttl,
|
||||
-1);
|
||||
if (answer_type == RESOLVED_TYPE_IPV4) {
|
||||
if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) {
|
||||
uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2));
|
||||
remap_event_helper(conn, addr);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue