summaryrefslogtreecommitdiff
path: root/src/or
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2014-04-07 23:03:04 -0400
committerNick Mathewson <nickm@torproject.org>2014-04-07 23:03:04 -0400
commit595303fd1e1998e12c51901f1aea77311e973a44 (patch)
tree84b18b086564584369b02f7f735a0f98dd4679eb /src/or
parent84df7d73c9f8892220184e301627d5bddb9c3f79 (diff)
parent6d9c332757c96e691ddeb024bd41035490a505d7 (diff)
downloadtor-595303fd1e1998e12c51901f1aea77311e973a44.tar.gz
tor-595303fd1e1998e12c51901f1aea77311e973a44.zip
Merge remote-tracking branch 'public/bug10363_024_squashed'
Diffstat (limited to 'src/or')
-rw-r--r--src/or/channeltls.c23
1 files changed, 15 insertions, 8 deletions
diff --git a/src/or/channeltls.c b/src/or/channeltls.c
index 959ec47449..539ead193e 100644
--- a/src/or/channeltls.c
+++ b/src/or/channeltls.c
@@ -1282,7 +1282,6 @@ static void
channel_tls_process_versions_cell(var_cell_t *cell, channel_tls_t *chan)
{
int highest_supported_version = 0;
- const uint8_t *cp, *end;
int started_here = 0;
tor_assert(cell);
@@ -1322,11 +1321,15 @@ channel_tls_process_versions_cell(var_cell_t *cell, channel_tls_t *chan)
}
tor_assert(chan->conn->handshake_state);
- end = cell->payload + cell->payload_len;
- for (cp = cell->payload; cp+1 < end; cp += 2) {
- uint16_t v = ntohs(get_uint16(cp));
- if (is_or_protocol_version_known(v) && v > highest_supported_version)
- highest_supported_version = v;
+
+ {
+ int i;
+ const uint8_t *cp = cell->payload;
+ for (i = 0; i < cell->payload_len / 2; ++i, cp += 2) {
+ uint16_t v = ntohs(get_uint16(cp));
+ if (is_or_protocol_version_known(v) && v > highest_supported_version)
+ highest_supported_version = v;
+ }
}
if (!highest_supported_version) {
log_fn(LOG_PROTOCOL_WARN, LD_OR,
@@ -1685,12 +1688,16 @@ channel_tls_process_certs_cell(var_cell_t *cell, channel_tls_t *chan)
for (i = 0; i < n_certs; ++i) {
uint8_t cert_type;
uint16_t cert_len;
- if (ptr + 3 > cell->payload + cell->payload_len) {
+ if (cell->payload_len < 3)
+ goto truncated;
+ if (ptr > cell->payload + cell->payload_len - 3) {
goto truncated;
}
cert_type = *ptr;
cert_len = ntohs(get_uint16(ptr+1));
- if (ptr + 3 + cert_len > cell->payload + cell->payload_len) {
+ if (cell->payload_len < 3 + cert_len)
+ goto truncated;
+ if (ptr > cell->payload + cell->payload_len - cert_len - 3) {
goto truncated;
}
if (cert_type == OR_CERT_TYPE_TLS_LINK ||