Do not truncate too long hostnames

If a hostname is supplied to tor-resolve which is too long, it will be silently truncated, resulting in a different hostname lookup: $ tor-resolve $(python -c 'print("google.com" + "m" * 256)') If tor-resolve uses SOCKS5, the length is stored in an unsigned char, which overflows in this case and leads to the hostname "google.com". As this one is a valid hostname, it returns an address instead of giving an error due to the invalid supplied hostname.
author: junglefowl <junglefowl@riseup.net> 2017-01-24 18:40:01 +0000
committer: Nick Mathewson <nickm@torproject.org> 2017-01-25 13:13:25 -0500
commit: d5a95e1ea1993027e2aad834586f7ab51b741800 (patch)
tree: 9a5bbca8c9b7ee9722df6e2c2b73fbb3ae496751 /src
parent: 05c1e2b7d6bc2369cbc01f2aff4e6823539c8690 (diff)
download: tor-d5a95e1ea1993027e2aad834586f7ab51b741800.tar.gz
tor-d5a95e1ea1993027e2aad834586f7ab51b741800.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/src/tools/tor-resolve.c b/src/tools/tor-resolve.c
index 29f85c4d17..6ac866d3c0 100644
--- a/src/tools/tor-resolve.c
+++ b/src/tools/tor-resolve.c
@@ -80,6 +80,10 @@ build_socks_resolve_request(char **out,
     }
     ipv6 = reverse && tor_addr_family(&addr) == AF_INET6;
     addrlen = reverse ? (ipv6 ? 16 : 4) : 1 + strlen(hostname);
+    if (addrlen > UINT8_MAX) {
+      log_err(LD_GENERAL, "Hostname is too long!");
+      return -1;
+    }
     len = 6 + addrlen;
     *out = tor_malloc(len);
     (*out)[0] = 5; /* SOCKS version 5 */
author	junglefowl <junglefowl@riseup.net>	2017-01-24 18:40:01 +0000
committer	Nick Mathewson <nickm@torproject.org>	2017-01-25 13:13:25 -0500
commit	d5a95e1ea1993027e2aad834586f7ab51b741800 (patch)
tree	9a5bbca8c9b7ee9722df6e2c2b73fbb3ae496751 /src
parent	05c1e2b7d6bc2369cbc01f2aff4e6823539c8690 (diff)
download	tor-d5a95e1ea1993027e2aad834586f7ab51b741800.tar.gz tor-d5a95e1ea1993027e2aad834586f7ab51b741800.zip