[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r10811: Backport r10760: fix possible buffer overrun in natd code us (in tor/branches/tor-0_1_2-patches: . doc src/or)



Author: nickm
Date: 2007-07-12 12:17:31 -0400 (Thu, 12 Jul 2007)
New Revision: 10811

Modified:
   tor/branches/tor-0_1_2-patches/
   tor/branches/tor-0_1_2-patches/ChangeLog
   tor/branches/tor-0_1_2-patches/doc/TODO.012
   tor/branches/tor-0_1_2-patches/src/or/connection_edge.c
Log:
 r13718@catbus:  nickm | 2007-07-12 12:16:49 -0400
 Backport r10760: fix possible buffer overrun in natd code used by old BSDs.



Property changes on: tor/branches/tor-0_1_2-patches
___________________________________________________________________
 svk:merge ticket from /tor/012 [r13718] on 8246c3cf-6607-4228-993b-4d95d33730f1

Modified: tor/branches/tor-0_1_2-patches/ChangeLog
===================================================================
--- tor/branches/tor-0_1_2-patches/ChangeLog	2007-07-12 16:17:30 UTC (rev 10810)
+++ tor/branches/tor-0_1_2-patches/ChangeLog	2007-07-12 16:17:31 UTC (rev 10811)
@@ -11,6 +11,10 @@
       orconfig.h _before_ sys/types.h, so that we can get the expected
       definition of _FILE_OFFSET_BITS.  [Bugfix on 0.1.2.x]
 
+  o Major bugfixes (security):
+    - Fix a possible buffer overrun when using BSD natd support.  Bug found
+      by "Mr. Croup."
+
   o Minor bugfixes (directory)
     - Count the number of authorities that recommend each version
       correctly.  Previously, we were under-counting by 1.

Modified: tor/branches/tor-0_1_2-patches/doc/TODO.012
===================================================================
--- tor/branches/tor-0_1_2-patches/doc/TODO.012	2007-07-12 16:17:30 UTC (rev 10810)
+++ tor/branches/tor-0_1_2-patches/doc/TODO.012	2007-07-12 16:17:31 UTC (rev 10811)
@@ -13,9 +13,9 @@
   o r10563: use correct types with desc_digest_map.
   o r10566: build correctly on systems where size_t is bigger than ulong. 
   - r10579: new addsysuser implementation for osx (??)
-  - r10643: eventdns.c behavior fix for solaris.
+  o r10643: eventdns.c behavior fix for solaris.
   - r10730: Don't choose guards after any never-connected-to guard. (??)
-  - r10760: fix possible buffer overrun in old BSD natd code
+  o r10760: fix possible buffer overrun in old BSD natd code
   - r10790: Don't include reasons in destroy cells from the origin.
   - Some fix for bug 455.
 

Modified: tor/branches/tor-0_1_2-patches/src/or/connection_edge.c
===================================================================
--- tor/branches/tor-0_1_2-patches/src/or/connection_edge.c	2007-07-12 16:17:30 UTC (rev 10810)
+++ tor/branches/tor-0_1_2-patches/src/or/connection_edge.c	2007-07-12 16:17:31 UTC (rev 10811)
@@ -1685,10 +1685,14 @@
   }
 
   daddr = tbuf = &tmp_buf[0] + 6; /* after end of "[DEST " */
-  while (*tbuf != '\0' && *tbuf != ' ')
-    tbuf++;
-  *tbuf = '\0';
-  tbuf++;
+  if (!(tbuf = strchr(tbuf, ' '))) {
+    log_warn(LD_APP,"Natd handshake was ill-formed; closing. The client "
+             "said: %s",
+             escaped(tmp_buf));
+    connection_mark_unattached_ap(conn, END_STREAM_REASON_INVALID_NATD_DEST);
+    return -1;
+  }
+  *tbuf++ = '\0';
 
   /* pretend that a socks handshake completed so we don't try to
    * send a socks reply down a natd conn */