diff options
| -rw-r--r-- | changes/bug10365 | 7 | ||||
| -rw-r--r-- | src/or/channeltls.c | 8 |
2 files changed, 15 insertions, 0 deletions
diff --git a/changes/bug10365 b/changes/bug10365 new file mode 100644 index 0000000000..f7a15155dd --- /dev/null +++ b/changes/bug10365 @@ -0,0 +1,7 @@ + o Minor bugfixes: + + - When receving a VERSIONS cell with an odd number of bytes, close + the connection immediately. Fix for bug 10365; bugfix on + 0.2.0.10-alpha. Spotted by "bobnomnom"; fix by "rl1987". + + diff --git a/src/or/channeltls.c b/src/or/channeltls.c index 4943054f56..9a290778f5 100644 --- a/src/or/channeltls.c +++ b/src/or/channeltls.c @@ -1208,6 +1208,14 @@ channel_tls_process_versions_cell(var_cell_t *cell, channel_tls_t *chan) tor_assert(chan); tor_assert(chan->conn); + if ((cell->payload_len % 2) == 1) { + log_fn(LOG_PROTOCOL_WARN, LD_OR, + "Received a VERSION cell with odd payload length %d; " + "closing connection.",cell->payload_len); + connection_or_close_for_error(chan->conn, 0); + return; + } + started_here = connection_or_nonopen_was_started_here(chan->conn); if (chan->conn->link_proto != 0 || |