[or-cvs] [tor/maint-0.2.1] Check answer_len in the remap_addr case of process_relay_cell_not_open.
Nick Mathewson
nickm at seul.org
Fri Jun 12 15:23:14 UTC 2009
Author: Roger Dingledine <arma at mit.edu>
Date: Fri, 12 Jun 2009 11:18:02 -0400
Subject: Check answer_len in the remap_addr case of process_relay_cell_not_open.
Commit: 845326317d9c468012ac99fab6e78575a807ed4f
Fix an edge case where a malicious exit relay could convince a
controller that the client's DNS question resolves to an internal IP
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
---
ChangeLog | 5 +++++
src/or/relay.c | 2 +-
2 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 527adc9..bce2aa3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,9 @@
Changes in version 0.2.1.16-?? - 2009-??-??
+ o Security fixes:
+ - Fix an edge case where a malicious exit relay could convince a
+ controller that the client's DNS question resolves to an internal IP
+ address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
+
o Major performance improvements (on 0.2.0.x):
- Disable and refactor some debugging checks that forced a linear scan
over the whole server-side DNS cache. These accounted for over 50%
diff --git a/src/or/relay.c b/src/or/relay.c
index 85cd8f6..9657a82 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -947,7 +947,7 @@ connection_edge_process_relay_cell_not_open(
cell->payload+RELAY_HEADER_SIZE+2, /*answer*/
ttl,
-1);
- if (answer_type == RESOLVED_TYPE_IPV4) {
+ if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) {
uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2));
remap_event_helper(conn, addr);
}
--
1.5.6.5
More information about the tor-commits
mailing list