diff options
author | junglefowl <junglefowl@riseup.net> | 2017-01-24 18:40:01 +0000 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2017-02-07 09:27:00 -0500 |
commit | c4920a60c6af935cc347fe3436dd7ff62a9e380d (patch) | |
tree | 633c12bb5af5e44e6e2f388901152323fdbc184e | |
parent | 9379984128365487d732a89a851a1132b8edbfa0 (diff) | |
download | tor-c4920a60c6af935cc347fe3436dd7ff62a9e380d.tar.gz tor-c4920a60c6af935cc347fe3436dd7ff62a9e380d.zip |
Do not truncate too long hostnames
If a hostname is supplied to tor-resolve which is too long, it will be
silently truncated, resulting in a different hostname lookup:
$ tor-resolve $(python -c 'print("google.com" + "m" * 256)')
If tor-resolve uses SOCKS5, the length is stored in an unsigned char,
which overflows in this case and leads to the hostname "google.com".
As this one is a valid hostname, it returns an address instead of giving
an error due to the invalid supplied hostname.
-rw-r--r-- | src/tools/tor-resolve.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/tools/tor-resolve.c b/src/tools/tor-resolve.c index 29f85c4d17..6ac866d3c0 100644 --- a/src/tools/tor-resolve.c +++ b/src/tools/tor-resolve.c @@ -80,6 +80,10 @@ build_socks_resolve_request(char **out, } ipv6 = reverse && tor_addr_family(&addr) == AF_INET6; addrlen = reverse ? (ipv6 ? 16 : 4) : 1 + strlen(hostname); + if (addrlen > UINT8_MAX) { + log_err(LD_GENERAL, "Hostname is too long!"); + return -1; + } len = 6 + addrlen; *out = tor_malloc(len); (*out)[0] = 5; /* SOCKS version 5 */ |