diff options
author | Nick Mathewson <nickm@torproject.org> | 2011-01-10 16:18:32 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2011-01-15 11:49:25 -0500 |
commit | a16902b9d4b0a912eb0a252bb945cbeaaa40dacb (patch) | |
tree | 632be0253de5e7fe3a1e2f90fe78df4140f4a04c /src/or/dnsserv.c | |
parent | 9fcc14224b689dff1be8336feeeb563199694c27 (diff) | |
download | tor-a16902b9d4b0a912eb0a252bb945cbeaaa40dacb.tar.gz tor-a16902b9d4b0a912eb0a252bb945cbeaaa40dacb.zip |
Always nul-terminate the result passed to evdns_server_add_ptr_reply
In dnsserv_resolved(), we carefully made a nul-terminated copy of the
answer in a PTR RESOLVED cell... then never used that nul-terminated
copy. Ouch.
Surprisingly this one isn't as huge a security problem as it could be.
The only place where the input to dnsserv_resolved wasn't necessarily
nul-terminated was when it was called indirectly from relay.c with the
contents of a relay cell's payload. If the end of the payload was
filled with junk, eventdns.c would take the strdup() of the name [This
part is bad; we might crash there if the cell is in a bad part of the
stack or the heap] and get a name of at least length
495[*]. eventdns.c then rejects any name of length over 255, so the
bogus data would be neither transmitted nor altered.
[*] If the name was less than 495 bytes long, the client wouldn't
actually be reading off the end of the cell.
Nonetheless this is a reasonably annoying bug. Better fix it.
Found while looking at bug 2332, reported by doorss. Bugfix on
0.2.0.1-alpha.
Diffstat (limited to 'src/or/dnsserv.c')
-rw-r--r-- | src/or/dnsserv.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/or/dnsserv.c b/src/or/dnsserv.c index 579080be3e..57c449311f 100644 --- a/src/or/dnsserv.c +++ b/src/or/dnsserv.c @@ -275,7 +275,7 @@ dnsserv_resolved(edge_connection_t *conn, char *ans = tor_strndup(answer, answer_len); evdns_server_request_add_ptr_reply(req, NULL, name, - (char*)answer, ttl); + ans, ttl); tor_free(ans); } else if (answer_type == RESOLVED_TYPE_ERROR) { err = DNS_ERR_NOTEXIST; |