diff options
| author | Roger Dingledine <arma@mit.edu> | 2009-06-12 11:18:02 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2009-06-12 11:28:05 -0400 |
| commit | 3a5259ef6841d770171e217925c1838ee7121490 (patch) | |
| tree | 325d5831e57ff27ca7b1da4d7e3ea9ff951b677f | |
| parent | bd0eaa002246cdfb8df9097175f6c782144bb37d (diff) | |
| download | tor-3a5259ef6841d770171e217925c1838ee7121490.tar.gz tor-3a5259ef6841d770171e217925c1838ee7121490.zip | |
Check answer_len in the remap_addr case of process_relay_cell_not_open.
Fix an edge case where a malicious exit relay could convince a
controller that the client's DNS question resolves to an internal IP
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | src/or/relay.c | 2 |
2 files changed, 4 insertions, 1 deletions
@@ -2,6 +2,9 @@ Changes in version 0.2.0.35 - 2009-??-?? o Security fix: - Avoid crashing in the presence of certain malformed descriptors. Found by lark, and by automated fuzzing. + - Fix an edge case where a malicious exit relay could convince a + controller that the client's DNS question resolves to an internal IP + address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta o Major bugfixes: - Finally fix the bug where dynamic-IP relays disappear when their diff --git a/src/or/relay.c b/src/or/relay.c index ca3d4c7fe0..f8c347bd72 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -993,7 +993,7 @@ connection_edge_process_relay_cell_not_open( cell->payload+RELAY_HEADER_SIZE+2, /*answer*/ ttl, -1); - if (answer_type == RESOLVED_TYPE_IPV4) { + if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) { uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2)); remap_event_helper(conn, addr); } |