1 files changed, 5 insertions, 5 deletions

diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index 65e9a5a8c2..181c6728d9 100644
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -326,7 +326,7 @@ rend_service_introduce(circuit_t *circuit, const char *request, int request_len)
     return -1;
   }
 
-  /* min key length plus digest length */
+  /* min key length plus digest length plus nickname length */
   if (request_len < 148) {
     log_fn(LOG_WARN, "Got a truncated INTRODUCE2 cell on circ %d",
            circuit->n_circ_id);
@@ -357,9 +357,9 @@ rend_service_introduce(circuit_t *circuit, const char *request, int request_len)
     log_fn(LOG_WARN, "Couldn't decrypt INTRODUCE2 cell");
     return -1;
   }
-  ptr=memchr(buf,0,len);
+  ptr=memchr(buf,0,MAX_NICKNAME_LEN+1);
   if (!ptr || ptr == buf) {
-    log_fn(LOG_WARN, "Couldn't find a null-terminated nickname in INTRODUCE2 cell");
+    log_fn(LOG_WARN, "Couldn't find a null-padded nickname in INTRODUCE2 cell");
     return -1;
   }
   if (strspn(buf,LEGAL_NICKNAME_CHARACTERS) != ptr-buf) {
@@ -368,8 +368,8 @@ rend_service_introduce(circuit_t *circuit, const char *request, int request_len)
   }
   /* Okay, now we know that the nickname is at the start of the buffer. */
   rp_nickname = buf;
-  ++ptr;
-  len -= (ptr-buf);
+  ptr = buf+(MAX_NICKNAME_LEN+1);
+  len -= (MAX_NICKNAME_LEN+1);
   if (len != 20+128) {
     log_fn(LOG_WARN, "Bad length for INTRODUCE2 cell.");
     return -1;