Fix a remote-crash bug. This will need a patch release.

svn:r18421

2 files changed, 16 insertions, 11 deletions

diff --git a/ChangeLog b/ChangeLog
index 3d3f6b8262..6096d72742 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,8 @@ Changes in version 0.2.1.12-alpha - 2009-02-08
   o Major bugfixes:
     - Fix an infinite-loop bug on handling corrupt votes under certain
       circumstances. Bugfix on 0.2.0.8-alpha.
+    - Avoid a potential crash on exit nodes when processing malformed
+      input.  Remote DoS opportunity.  Bugfix on 0.2.1.7-alpha.
 
   o Minor bugfixes:
     - Let controllers actually ask for the "clients_seen" event. Bugfix
diff --git a/src/or/eventdns.c b/src/or/eventdns.c
index edb934f8f3..9ce4c392f7 100644
--- a/src/or/eventdns.c
+++ b/src/or/eventdns.c
@@ -376,11 +376,11 @@ inet_aton(const char *c, struct in_addr *addr)
 #define CLOSE_SOCKET(x) close(x)
 #endif
 
-#define ISSPACE(c) isspace((int)(unsigned char)(c))
-#define ISDIGIT(c) isdigit((int)(unsigned char)(c))
-#define ISALPHA(c) isalpha((int)(unsigned char)(c))
-#define TOLOWER(c) (char)tolower((int)(unsigned char)(c))
-#define TOUPPER(c) (char)toupper((int)(unsigned char)(c))
+#define ISSPACE(c) TOR_ISSPACE(c)
+#define ISDIGIT(c) TOR_ISDIGIT(c)
+#define ISALPHA(c) TOR_ISALPHA(c)
+#define TOLOWER(c) TOR_TOLOWER(c)
+#define TOUPPER(c) TOR_TOUPPER(c)
 
 #ifndef NDEBUG
 static const char *
@@ -1149,14 +1149,11 @@ static void
 default_random_bytes_fn(char *buf, size_t n)
 {
 	unsigned i;
-	for (i = 0; i < n-1; i += 2) {
+	for (i = 0; i < n; i += 2) {
 		u16 tid = trans_id_function();
 		buf[i] = (tid >> 8) & 0xff;
-		buf[i+1] = tid & 0xff;
-	}
-	if (i < n) {
-		u16 tid = trans_id_function();
-		buf[i] = tid & 0xff;
+		if (i+1<n)
+			buf[i+1] = tid & 0xff;
 	}
 }
 
@@ -2503,6 +2500,12 @@ request_new(int type, const char *name, int flags,
 	(void) flags;
 
 	if (!req) return NULL;
+
+	if (name_len >= sizeof(namebuf)) {
+		_free(req);
+		return NULL;
+	}
+
 	memset(req, 0, sizeof(struct request));
 
 	if (global_randomize_case) {