[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r10760: Backport candidate: fix a possible buffer overrun when using (in tor/trunk: . src/or)



Author: nickm
Date: 2007-07-07 23:45:47 -0400 (Sat, 07 Jul 2007)
New Revision: 10760

Modified:
   tor/trunk/
   tor/trunk/ChangeLog
   tor/trunk/src/or/connection_edge.c
Log:
 r13602@Kushana:  nickm | 2007-07-07 23:44:24 -0400
 Backport candidate: fix a possible buffer overrun when using natd support on old BSDs.  Based on a patch from "Mr. Croup".



Property changes on: tor/trunk
___________________________________________________________________
 svk:merge ticket from /tor/trunk [r13602] on c95137ef-5f19-0410-b913-86e773d04f59

Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog	2007-07-07 01:49:54 UTC (rev 10759)
+++ tor/trunk/ChangeLog	2007-07-08 03:45:47 UTC (rev 10760)
@@ -66,7 +66,11 @@
       never choose any guards past it. This way we don't expand our
       guard list unless we need to. [Bugfix in 0.1.2.x]
 
+  o Security fixes (BSD natd support):
+    - Fix a possible buffer overrun when using BSD natd support.  Bug found
+      by croup.
 
+
 Changes in version 0.2.0.2-alpha - 2007-06-02
   o Major bugfixes on 0.2.0.1-alpha:
     - Fix an assertion failure related to servers without extra-info digests.

Modified: tor/trunk/src/or/connection_edge.c
===================================================================
--- tor/trunk/src/or/connection_edge.c	2007-07-07 01:49:54 UTC (rev 10759)
+++ tor/trunk/src/or/connection_edge.c	2007-07-08 03:45:47 UTC (rev 10760)
@@ -1702,10 +1702,14 @@
   }
 
   daddr = tbuf = &tmp_buf[0] + 6; /* after end of "[DEST " */
-  while (*tbuf != '\0' && *tbuf != ' ')
-    tbuf++;
-  *tbuf = '\0';
-  tbuf++;
+  if (!(tbuf = strchr(tbuf, ' '))) {
+    log_warn(LD_APP,"Natd handshake was ill-formed; closing. The client "
+             "said: %s",
+             escaped(tmp_buf));
+    connection_mark_unattached_ap(conn, END_STREAM_REASON_INVALID_NATD_DEST);
+    return -1;
+  }
+  *tbuf++ = '\0';
 
   /* pretend that a socks handshake completed so we don't try to
    * send a socks reply down a natd conn */