diff options
| author | Nick Mathewson <nickm@torproject.org> | 2005-05-17 20:00:24 +0000 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2005-05-17 20:00:24 +0000 |
| commit | e7354725bb04783531fc5cbdf6413515798b236f (patch) | |
| tree | d28799f45110e297915a2ae7d7b06c812584d383 | |
| parent | 9abef5e483d731c56543dbacfdab2ab4616b99c9 (diff) | |
| download | tor-e7354725bb04783531fc5cbdf6413515798b236f.tar.gz tor-e7354725bb04783531fc5cbdf6413515798b236f.zip | |
Handle relay cells with rh.length too large.
svn:r4264
| -rw-r--r-- | src/or/relay.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/or/relay.c b/src/or/relay.c index 32e8f6b8f4..8732c658ce 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -779,6 +779,11 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, num_seen++; log_fn(LOG_DEBUG,"Now seen %d relay cells here.", num_seen); + if (rh.length > RELAY_PAYLOAD_SIZE) { + log_fn(LOG_WARN, "Relay cell length field too long. Closing circuit."); + return -1; + } + /* either conn is NULL, in which case we've got a control cell, or else * conn points to the recognized stream. */ |