sarah
/
tor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Do not truncate too long hostnames 

If a hostname is supplied to tor-resolve which is too long, it will be
silently truncated, resulting in a different hostname lookup:

$ tor-resolve $(python -c 'print("google.com" + "m" * 256)')

If tor-resolve uses SOCKS5, the length is stored in an unsigned char,
which overflows in this case and leads to the hostname "google.com".
As this one is a valid hostname, it returns an address instead of giving
an error due to the invalid supplied hostname.
This commit is contained in:
junglefowl 2017-01-24 18:40:01 +00:00 committed by Nick Mathewson
parent 9379984128
commit c4920a60c6
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/tools/tor-resolve.c
View File

@ -80,6 +80,10 @@ build_socks_resolve_request(char **out,
}
ipv6 = reverse && tor_addr_family(&addr) == AF_INET6;
addrlen = reverse ? (ipv6 ? 16 : 4) : 1 + strlen(hostname);
if (addrlen > UINT8_MAX) {
log_err(LD_GENERAL, "Hostname is too long!");
return -1;
}
len = 6 + addrlen;
*out = tor_malloc(len);
(*out)[0] = 5; /* SOCKS version 5 */