Check answer_len in the remap_addr case of process_relay_cell_not_open.
Fix an edge case where a malicious exit relay could convince a controller that the client's DNS question resolves to an internal IP address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
This commit is contained in:
parent
bd0eaa0022
commit
3a5259ef68
|
@ -2,6 +2,9 @@ Changes in version 0.2.0.35 - 2009-??-??
|
||||||
o Security fix:
|
o Security fix:
|
||||||
- Avoid crashing in the presence of certain malformed descriptors.
|
- Avoid crashing in the presence of certain malformed descriptors.
|
||||||
Found by lark, and by automated fuzzing.
|
Found by lark, and by automated fuzzing.
|
||||||
|
- Fix an edge case where a malicious exit relay could convince a
|
||||||
|
controller that the client's DNS question resolves to an internal IP
|
||||||
|
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta
|
||||||
|
|
||||||
o Major bugfixes:
|
o Major bugfixes:
|
||||||
- Finally fix the bug where dynamic-IP relays disappear when their
|
- Finally fix the bug where dynamic-IP relays disappear when their
|
||||||
|
|
|
@ -993,7 +993,7 @@ connection_edge_process_relay_cell_not_open(
|
||||||
cell->payload+RELAY_HEADER_SIZE+2, /*answer*/
|
cell->payload+RELAY_HEADER_SIZE+2, /*answer*/
|
||||||
ttl,
|
ttl,
|
||||||
-1);
|
-1);
|
||||||
if (answer_type == RESOLVED_TYPE_IPV4) {
|
if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) {
|
||||||
uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2));
|
uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2));
|
||||||
remap_event_helper(conn, addr);
|
remap_event_helper(conn, addr);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue