summaryrefslogtreecommitdiff
path: root/src/or/relay.c
diff options
context:
space:
mode:
authorRoger Dingledine <arma@mit.edu>2009-06-12 11:18:02 -0400
committerNick Mathewson <nickm@torproject.org>2009-06-12 11:22:54 -0400
commit845326317d9c468012ac99fab6e78575a807ed4f (patch)
tree2252411ecce56cc30590706a80920f5c8ad003d1 /src/or/relay.c
parentc50098ffc546bc0875daf9139bea64d09ad49fc0 (diff)
downloadtor-845326317d9c468012ac99fab6e78575a807ed4f.tar.gz
tor-845326317d9c468012ac99fab6e78575a807ed4f.zip
Check answer_len in the remap_addr case of process_relay_cell_not_open.
Fix an edge case where a malicious exit relay could convince a controller that the client's DNS question resolves to an internal IP address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
Diffstat (limited to 'src/or/relay.c')
-rw-r--r--src/or/relay.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/or/relay.c b/src/or/relay.c
index 85cd8f6c82..9657a82956 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -947,7 +947,7 @@ connection_edge_process_relay_cell_not_open(
cell->payload+RELAY_HEADER_SIZE+2, /*answer*/
ttl,
-1);
- if (answer_type == RESOLVED_TYPE_IPV4) {
+ if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) {
uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2));
remap_event_helper(conn, addr);
}