diff options
author | Nick Mathewson <nickm@torproject.org> | 2009-02-09 03:13:02 +0000 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2009-02-09 03:13:02 +0000 |
commit | 2ebdf91a523348aad3eae7dc565510260a374ef4 (patch) | |
tree | cf40fef61189e32ca21028cb6f65eda5e5b0e5aa | |
parent | 2756824087a678c9a143fc6f50ffb65ff20f4e50 (diff) | |
download | tor-2ebdf91a523348aad3eae7dc565510260a374ef4.tar.gz tor-2ebdf91a523348aad3eae7dc565510260a374ef4.zip |
Fix a remote-crash bug. This will need a patch release.
svn:r18421
-rw-r--r-- | ChangeLog | 2 | ||||
-rw-r--r-- | src/or/eventdns.c | 25 |
2 files changed, 16 insertions, 11 deletions
@@ -6,6 +6,8 @@ Changes in version 0.2.1.12-alpha - 2009-02-08 o Major bugfixes: - Fix an infinite-loop bug on handling corrupt votes under certain circumstances. Bugfix on 0.2.0.8-alpha. + - Avoid a potential crash on exit nodes when processing malformed + input. Remote DoS opportunity. Bugfix on 0.2.1.7-alpha. o Minor bugfixes: - Let controllers actually ask for the "clients_seen" event. Bugfix diff --git a/src/or/eventdns.c b/src/or/eventdns.c index edb934f8f3..9ce4c392f7 100644 --- a/src/or/eventdns.c +++ b/src/or/eventdns.c @@ -376,11 +376,11 @@ inet_aton(const char *c, struct in_addr *addr) #define CLOSE_SOCKET(x) close(x) #endif -#define ISSPACE(c) isspace((int)(unsigned char)(c)) -#define ISDIGIT(c) isdigit((int)(unsigned char)(c)) -#define ISALPHA(c) isalpha((int)(unsigned char)(c)) -#define TOLOWER(c) (char)tolower((int)(unsigned char)(c)) -#define TOUPPER(c) (char)toupper((int)(unsigned char)(c)) +#define ISSPACE(c) TOR_ISSPACE(c) +#define ISDIGIT(c) TOR_ISDIGIT(c) +#define ISALPHA(c) TOR_ISALPHA(c) +#define TOLOWER(c) TOR_TOLOWER(c) +#define TOUPPER(c) TOR_TOUPPER(c) #ifndef NDEBUG static const char * @@ -1149,14 +1149,11 @@ static void default_random_bytes_fn(char *buf, size_t n) { unsigned i; - for (i = 0; i < n-1; i += 2) { + for (i = 0; i < n; i += 2) { u16 tid = trans_id_function(); buf[i] = (tid >> 8) & 0xff; - buf[i+1] = tid & 0xff; - } - if (i < n) { - u16 tid = trans_id_function(); - buf[i] = tid & 0xff; + if (i+1<n) + buf[i+1] = tid & 0xff; } } @@ -2503,6 +2500,12 @@ request_new(int type, const char *name, int flags, (void) flags; if (!req) return NULL; + + if (name_len >= sizeof(namebuf)) { + _free(req); + return NULL; + } + memset(req, 0, sizeof(struct request)); if (global_randomize_case) { |