From 3a5259ef6841d770171e217925c1838ee7121490 Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Fri, 12 Jun 2009 11:18:02 -0400 Subject: Check answer_len in the remap_addr case of process_relay_cell_not_open. Fix an edge case where a malicious exit relay could convince a controller that the client's DNS question resolves to an internal IP address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta. --- ChangeLog | 3 +++ src/or/relay.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 81c1ede212..c2c61865f2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,9 @@ Changes in version 0.2.0.35 - 2009-??-?? o Security fix: - Avoid crashing in the presence of certain malformed descriptors. Found by lark, and by automated fuzzing. + - Fix an edge case where a malicious exit relay could convince a + controller that the client's DNS question resolves to an internal IP + address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta o Major bugfixes: - Finally fix the bug where dynamic-IP relays disappear when their diff --git a/src/or/relay.c b/src/or/relay.c index ca3d4c7fe0..f8c347bd72 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -993,7 +993,7 @@ connection_edge_process_relay_cell_not_open( cell->payload+RELAY_HEADER_SIZE+2, /*answer*/ ttl, -1); - if (answer_type == RESOLVED_TYPE_IPV4) { + if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) { uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2)); remap_event_helper(conn, addr); } -- cgit v1.2.3-54-g00ecf