From e0ae28d0cd69b5bc4fe3a58800702fd84b12d51f Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sun, 21 Jan 2007 18:21:39 +0000 Subject: r9701@catbus: nickm | 2007-01-21 13:21:25 -0500 Detect and reject another (harmless) class of DNS replies. Also, fix a couple of IPv6 bugs in evendns.c svn:r9379 --- src/or/eventdns.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/or/eventdns.c b/src/or/eventdns.c index e123592e01..9d0f8f0708 100644 --- a/src/or/eventdns.c +++ b/src/or/eventdns.c @@ -862,7 +862,8 @@ reply_parse(u8 *packet, int length) { if (req->request_type != TYPE_A) { j += datalength; continue; } - // XXXX do something sane with malformed A answers. + if ((datalength & 3) != 0) /* not an even number of As. */ + return -1; addrcount = datalength >> 2; addrtocopy = MIN(MAX_ADDRS - reply.data.a.addrcount, (unsigned)addrcount); @@ -889,7 +890,8 @@ reply_parse(u8 *packet, int length) { if (req->request_type != TYPE_AAAA) { j += datalength; continue; } - // XXXX do something sane with malformed AAAA answers. + if ((datalength & 15) != 0) /* not an even number of AAAAs. */ + return -1; addrcount = datalength >> 4; // each address is 16 bytes long addrtocopy = MIN(MAX_ADDRS - reply.data.aaaa.addrcount, (unsigned)addrcount); ttl_r = MIN(ttl_r, ttl); @@ -901,7 +903,7 @@ reply_parse(u8 *packet, int length) { reply.data.aaaa.addrcount += addrtocopy; j += 16*addrtocopy; reply.have_answer = 1; - if (reply.data.a.addrcount == MAX_ADDRS) break; + if (reply.data.aaaa.addrcount == MAX_ADDRS) break; } else { // skip over any other type of resource j += datalength; @@ -2238,12 +2240,12 @@ int evdns_resolve_reverse_ipv6(struct in6_addr *in, int flags, evdns_callback_ty int i; assert(in); cp = buf; - for (i=0; i < 16; ++i) { + for (i=15; i >= 0; --i) { u8 byte = in->s6_addr[i]; - *cp++ = "0123456789abcdef"[byte >> 4]; - *cp++ = '.'; *cp++ = "0123456789abcdef"[byte & 0x0f]; *cp++ = '.'; + *cp++ = "0123456789abcdef"[byte >> 4]; + *cp++ = '.'; } assert(cp + strlen(".ip6.arpa") < buf+sizeof(buf)); memcpy(cp, ".ip6.arpa", strlen(".ip6.arpa")+1); -- cgit v1.2.3-54-g00ecf