[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
From: Ondrej Mikle <ondrej.mikle@xxxxxxxxx>
Date: Tue, 31 Jan 2012 02:16:10 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 30 Jan 2012 20:16:26 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=dmk6k5jyFM9bmbNdc8r9UHdBLyVvF5rFJu08UFc28Y8=; b=Zlea9OPLigEQVnm+syQ2Sx7Lv7sdNBa6ZzFHTGSYp0/k1SmpAuZnmX/W0P55pS+UTo Tht6aK1g77DUaruNDrdWiA1lBjtSyHrFoHO78mrb2ePMQtL3GtpyH4HwSk9vFUZAyn8Q d9hOMUfRNjNtQDYurCvAy/CiYxGmhTX9i4baY=
In-reply-to: <20120130094534.GF2550@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for discussion by the developers of Tor." <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <4F21C8DD.4090400@xxxxxxxxx> <20120130094534.GF2550@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1

On 01/30/2012 10:45 AM, Roger Dingledine wrote:
> On Thu, Jan 26, 2012 at 10:42:53PM +0100, Ondrej Mikle wrote:
>> Also, this seems to be a bug in
>> relay.c:connection_edge_process_relay_cell_not_open(), the
>> RELAY_COMMAND_RESOLVED case:
>>
>>     answer_len = cell->payload[RELAY_HEADER_SIZE+1];
>>     if (rh->length < 2 || answer_len+2>rh->length) {...}
>>
>> Payload is accessed before checking bounds.
> 
> cell->payload is a fixed-size array. It's going to be there no matter
> what values are in it.
> 
> Unless I'm misunderstanding you?

You're right. For some reason I thought it was malloc-ed buffer, but it's not.

Ondrej
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
  - From: Ondrej Mikle
- Re: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
  - From: Roger Dingledine

Prev by Author: Re: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
Next by Author: Re: [tor-dev] Tor and DNS
Previous by thread: Re: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
Next by thread: Re: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
Index(es):
- Author
- Thread