[or-cvs] r9378: Detect pointer loops in DNS requests and replies; avoid infi (in tor/trunk: . src/or)

nickm at seul.org nickm at seul.org
Sun Jan 21 17:05:15 UTC 2007 

Author: nickm
Date: 2007-01-21 12:05:10 -0500 (Sun, 21 Jan 2007)
New Revision: 9378

Modified:
   tor/trunk/
   tor/trunk/ChangeLog
   tor/trunk/src/or/eventdns.c
Log:
 r9692 at catbus:  nickm | 2007-01-21 12:04:22 -0500
 Detect pointer loops in DNS requests and replies; avoid infinite loop on such malformed replies.  Fixes bug 380.



Property changes on: tor/trunk
___________________________________________________________________
 svk:merge ticket from /tor/trunk [r9692] on 8246c3cf-6607-4228-993b-4d95d33730f1

Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog	2007-01-21 06:24:05 UTC (rev 9377)
+++ tor/trunk/ChangeLog	2007-01-21 17:05:10 UTC (rev 9378)
@@ -27,6 +27,8 @@
     - If our system clock jumps back in time, don't publish a negative
       uptime in the descriptor. Also, don't let the global rate limiting
       buckets go absurdly negative.
+    - Detect and reject malformed DNS responses containing circular
+      pointer loops.
 
   o Minor bugfixes:
     - When computing clock skew from directory HTTP headers, consider what

Modified: tor/trunk/src/or/eventdns.c
===================================================================
--- tor/trunk/src/or/eventdns.c	2007-01-21 06:24:05 UTC (rev 9377)
+++ tor/trunk/src/or/eventdns.c	2007-01-21 17:05:10 UTC (rev 9378)
@@ -736,6 +736,7 @@
 name_parse(u8 *packet, int length, int *idx, char *name_out, int name_out_len) {
 	int name_end = -1;
 	int j = *idx;
+	int ptr_count = 0;
 #define GET32(x) do { if (j + 4 > length) goto err; memcpy(&_t32, packet + j, 4); j += 4; x = ntohl(_t32); } while(0);
 #define GET16(x) do { if (j + 2 > length) goto err; memcpy(&_t, packet + j, 2); j += 2; x = ntohs(_t); } while(0);
 #define GET8(x) do { if (j >= length) goto err; x = packet[j++]; } while(0);
@@ -759,7 +760,11 @@
 			GET8(ptr_low);
 			if (name_end < 0) name_end = j;
 			j = (((int)label_len & 0x3f) << 8) + ptr_low;
+			/* Make sure that the target offset is in-bounds. */
 			if (j < 0 || j >= length) return -1;
+			/* If we've jumped more times than there are characters in the
+			 * message, we must have a loop. */
+			if (++ptr_count > length) return -1;
 			continue;
 		}
 		if (label_len > 63) return -1;

More information about the tor-commits mailing list