diff options
author | Nick Mathewson <nickm@torproject.org> | 2014-04-07 23:03:04 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2014-04-07 23:03:04 -0400 |
commit | 595303fd1e1998e12c51901f1aea77311e973a44 (patch) | |
tree | 84b18b086564584369b02f7f735a0f98dd4679eb /src/or | |
parent | 84df7d73c9f8892220184e301627d5bddb9c3f79 (diff) | |
parent | 6d9c332757c96e691ddeb024bd41035490a505d7 (diff) | |
download | tor-595303fd1e1998e12c51901f1aea77311e973a44.tar.gz tor-595303fd1e1998e12c51901f1aea77311e973a44.zip |
Merge remote-tracking branch 'public/bug10363_024_squashed'
Diffstat (limited to 'src/or')
-rw-r--r-- | src/or/channeltls.c | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/src/or/channeltls.c b/src/or/channeltls.c index 959ec47449..539ead193e 100644 --- a/src/or/channeltls.c +++ b/src/or/channeltls.c @@ -1282,7 +1282,6 @@ static void channel_tls_process_versions_cell(var_cell_t *cell, channel_tls_t *chan) { int highest_supported_version = 0; - const uint8_t *cp, *end; int started_here = 0; tor_assert(cell); @@ -1322,11 +1321,15 @@ channel_tls_process_versions_cell(var_cell_t *cell, channel_tls_t *chan) } tor_assert(chan->conn->handshake_state); - end = cell->payload + cell->payload_len; - for (cp = cell->payload; cp+1 < end; cp += 2) { - uint16_t v = ntohs(get_uint16(cp)); - if (is_or_protocol_version_known(v) && v > highest_supported_version) - highest_supported_version = v; + + { + int i; + const uint8_t *cp = cell->payload; + for (i = 0; i < cell->payload_len / 2; ++i, cp += 2) { + uint16_t v = ntohs(get_uint16(cp)); + if (is_or_protocol_version_known(v) && v > highest_supported_version) + highest_supported_version = v; + } } if (!highest_supported_version) { log_fn(LOG_PROTOCOL_WARN, LD_OR, @@ -1685,12 +1688,16 @@ channel_tls_process_certs_cell(var_cell_t *cell, channel_tls_t *chan) for (i = 0; i < n_certs; ++i) { uint8_t cert_type; uint16_t cert_len; - if (ptr + 3 > cell->payload + cell->payload_len) { + if (cell->payload_len < 3) + goto truncated; + if (ptr > cell->payload + cell->payload_len - 3) { goto truncated; } cert_type = *ptr; cert_len = ntohs(get_uint16(ptr+1)); - if (ptr + 3 + cert_len > cell->payload + cell->payload_len) { + if (cell->payload_len < 3 + cert_len) + goto truncated; + if (ptr > cell->payload + cell->payload_len - cert_len - 3) { goto truncated; } if (cert_type == OR_CERT_TYPE_TLS_LINK || |