Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Check answer_len in the remap_addr case of process_relay_cell_not_open.

Fix an edge case where a malicious exit relay could convince a
controller that the client's DNS question resolves to an internal IP
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
Roger Dingledine 15 years ago
parent
77f5ad6b07
commit
cb1617f18e
2 changed files with 6 additions and 1 deletions
Split View Show Diff Stats
  1. 5 0
      ChangeLog
  2. 1 1
      src/or/relay.c

+ 5 - 0
ChangeLog
View File 

@@ -1,4 +1,9 @@
 
 Changes in version 0.2.2.1-alpha - 2009-??-??
 
+  o Security fixes:
 
+    - Fix an edge case where a malicious exit relay could convince a
 
+      controller that the client's DNS question resolves to an internal IP
 
+      address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
 
+
 
   o Major features:
 
     - Add support for dynamic OpenSSL hardware crypto acceleration engines
 
       via new AccelName and AccelDir options.

+ 1 - 1
src/or/relay.c
View File 

@@ -947,7 +947,7 @@ connection_edge_process_relay_cell_not_open(
 
                    cell->payload+RELAY_HEADER_SIZE+2, /*answer*/
 
                    ttl,
 
                    -1);
 
-    if (answer_type == RESOLVED_TYPE_IPV4) {
 
+    if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) {
 
       uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2));
 
       remap_event_helper(conn, addr);
 
     }