Check answer_len in the remap_addr case of process_relay_cell_not_open.

Fix an edge case where a malicious exit relay could convince a controller that the client's DNS question resolves to an internal IP address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
2009-06-12 11:18:02 -04:00 · 2009-06-12 11:18:02 -04:00 · 3a5259ef68
parent bd0eaa0022
commit 3a5259ef68
2 changed files with 4 additions and 1 deletions
--- a/3
+++ b/3
@ -2,6 +2,9 @@ Changes in version 0.2.0.35 - 2009-??-??
  o Security fix:
    - Avoid crashing in the presence of certain malformed descriptors.
      Found by lark, and by automated fuzzing.
+    - Fix an edge case where a malicious exit relay could convince a
+      controller that the client's DNS question resolves to an internal IP
+      address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta

  o Major bugfixes:
    - Finally fix the bug where dynamic-IP relays disappear when their
--- a/src/or/relay.c
+++ b/src/or/relay.c
@ -993,7 +993,7 @@ connection_edge_process_relay_cell_not_open(
                   cell->payload+RELAY_HEADER_SIZE+2, /*answer*/
                   ttl,
                   -1);
-    if (answer_type == RESOLVED_TYPE_IPV4) {
+    if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) {
      uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2));
      remap_event_helper(conn, addr);
    }