[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] [tor/maint-0.2.0] Check answer_len in the remap_addr case of process_relay_cell_not_open.



Author: Roger Dingledine <arma@xxxxxxx>
Date: Fri, 12 Jun 2009 11:18:02 -0400
Subject: Check answer_len in the remap_addr case of process_relay_cell_not_open.
Commit: 3a5259ef6841d770171e217925c1838ee7121490

Fix an edge case where a malicious exit relay could convince a
controller that the client's DNS question resolves to an internal IP
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
---
 ChangeLog      |    3 +++
 src/or/relay.c |    2 +-
 2 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 81c1ede..c2c6186 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,9 @@ Changes in version 0.2.0.35 - 2009-??-??
   o Security fix:
     - Avoid crashing in the presence of certain malformed descriptors.
       Found by lark, and by automated fuzzing.
+    - Fix an edge case where a malicious exit relay could convince a
+      controller that the client's DNS question resolves to an internal IP
+      address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta
 
   o Major bugfixes:
     - Finally fix the bug where dynamic-IP relays disappear when their
diff --git a/src/or/relay.c b/src/or/relay.c
index ca3d4c7..f8c347b 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -993,7 +993,7 @@ connection_edge_process_relay_cell_not_open(
                    cell->payload+RELAY_HEADER_SIZE+2, /*answer*/
                    ttl,
                    -1);
-    if (answer_type == RESOLVED_TYPE_IPV4) {
+    if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) {
       uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2));
       remap_event_helper(conn, addr);
     }
-- 
1.5.6.5