[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r18418: {tor} Fix a remote-crash bug. This will need a patch release. (in tor/branches/tor-0_2_0-patches: . src/or)



Author: nickm
Date: 2009-02-08 22:11:58 -0500 (Sun, 08 Feb 2009)
New Revision: 18418

Modified:
   tor/branches/tor-0_2_0-patches/ChangeLog
   tor/branches/tor-0_2_0-patches/src/or/eventdns.c
Log:
Fix a remote-crash bug.  This will need a patch release.

Modified: tor/branches/tor-0_2_0-patches/ChangeLog
===================================================================
--- tor/branches/tor-0_2_0-patches/ChangeLog	2009-02-09 02:50:19 UTC (rev 18417)
+++ tor/branches/tor-0_2_0-patches/ChangeLog	2009-02-09 03:11:58 UTC (rev 18418)
@@ -2,6 +2,8 @@
   o Major bugfixes:
     - Fix an infinite-loop bug on handling corrupt votes under certain
       circumstances. Bugfix on 0.2.0.8-alpha.
+    - Avoid a potential crash on exit nodes when processing malformed
+      input.  Remote DoS opportunity.  Bugfix on 0.2.0.33.
 
   o Minor bugfixes:
     - Fix compilation on systems where time_t is a 64-bit integer.

Modified: tor/branches/tor-0_2_0-patches/src/or/eventdns.c
===================================================================
--- tor/branches/tor-0_2_0-patches/src/or/eventdns.c	2009-02-09 02:50:19 UTC (rev 18417)
+++ tor/branches/tor-0_2_0-patches/src/or/eventdns.c	2009-02-09 03:11:58 UTC (rev 18418)
@@ -378,11 +378,11 @@
 #define CLOSE_SOCKET(x) close(x)
 #endif
 
-#define ISSPACE(c) isspace((int)(unsigned char)(c))
-#define ISDIGIT(c) isdigit((int)(unsigned char)(c))
-#define ISALPHA(c) isalpha((int)(unsigned char)(c))
-#define TOLOWER(c) (char)tolower((int)(unsigned char)(c))
-#define TOUPPER(c) (char)toupper((int)(unsigned char)(c))
+#define ISSPACE(c) TOR_ISSPACE(c)
+#define ISDIGIT(c) TOR_ISDIGIT(c)
+#define ISALPHA(c) TOR_ISALPHA(c)
+#define TOLOWER(c) TOR_TOLOWER(c)
+#define TOUPPER(c) TOR_TOUPPER(c)
 
 #ifndef NDEBUG
 static const char *
@@ -1115,15 +1115,12 @@
 get_random_bytes(char *buf, size_t n)
 {
 	unsigned i;
-	for (i = 0; i < n-1; i += 2) {
+	for (i = 0; i < n; i += 2) {
 		u16 tid = trans_id_function();
 		buf[i] = (tid >> 8) & 0xff;
-		buf[i+1] = tid & 0xff;
+		if (i+1<n)
+			buf[i+1] = tid & 0xff;
 	}
-	if (i < n) {
-		u16 tid = trans_id_function();
-		buf[i] = tid & 0xff;
-	}
 }
 
 /* Try to choose a strong transaction id which isn't already in flight */
@@ -2309,6 +2306,12 @@
 	(void) flags;
 
 	if (!req) return NULL;
+
+	if (name_len >= sizeof(namebuf)) {
+		_free(req);
+		return NULL;
+	}
+
 	memset(req, 0, sizeof(struct request));
 
 	if (global_randomize_case) {