[tor-commits] [tor/maint-0.2.9] Do not truncate too long hostnames

nickm at torproject.org nickm at torproject.org
Tue Feb 7 14:28:00 UTC 2017


commit c4920a60c6af935cc347fe3436dd7ff62a9e380d
Author: junglefowl <junglefowl at riseup.net>
Date:   Tue Jan 24 18:40:01 2017 +0000

    Do not truncate too long hostnames
    
    If a hostname is supplied to tor-resolve which is too long, it will be
    silently truncated, resulting in a different hostname lookup:
    
    $ tor-resolve $(python -c 'print("google.com" + "m" * 256)')
    
    If tor-resolve uses SOCKS5, the length is stored in an unsigned char,
    which overflows in this case and leads to the hostname "google.com".
    As this one is a valid hostname, it returns an address instead of giving
    an error due to the invalid supplied hostname.
---
 src/tools/tor-resolve.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/tools/tor-resolve.c b/src/tools/tor-resolve.c
index 29f85c4..6ac866d 100644
--- a/src/tools/tor-resolve.c
+++ b/src/tools/tor-resolve.c
@@ -80,6 +80,10 @@ build_socks_resolve_request(char **out,
     }
     ipv6 = reverse && tor_addr_family(&addr) == AF_INET6;
     addrlen = reverse ? (ipv6 ? 16 : 4) : 1 + strlen(hostname);
+    if (addrlen > UINT8_MAX) {
+      log_err(LD_GENERAL, "Hostname is too long!");
+      return -1;
+    }
     len = 6 + addrlen;
     *out = tor_malloc(len);
     (*out)[0] = 5; /* SOCKS version 5 */





More information about the tor-commits mailing list