diff options
| author | rl1987 <rl1987@sdf.lonestar.org> | 2013-12-24 21:50:58 +0200 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2014-02-03 13:14:27 -0500 |
| commit | 881c7c0f7d86af501f7eeb34b021636af85d186f (patch) | |
| tree | 8cea3767855866746c31abf07a264a6cce0ca082 | |
| parent | 8db8fda43ffdf0a19eb6febfaadb6b1164973807 (diff) | |
| download | tor-881c7c0f7d86af501f7eeb34b021636af85d186f.tar tor-881c7c0f7d86af501f7eeb34b021636af85d186f.tar.gz | |
10365: Close connections if the VERSIONS cell has an odd length.
Fixes issue 10365.
| -rw-r--r-- | changes/bug10365 | 7 | ||||
| -rw-r--r-- | src/or/channeltls.c | 8 |
2 files changed, 15 insertions, 0 deletions
diff --git a/changes/bug10365 b/changes/bug10365 new file mode 100644 index 000000000..f7a15155d --- /dev/null +++ b/changes/bug10365 @@ -0,0 +1,7 @@ + o Minor bugfixes: + + - When receving a VERSIONS cell with an odd number of bytes, close + the connection immediately. Fix for bug 10365; bugfix on + 0.2.0.10-alpha. Spotted by "bobnomnom"; fix by "rl1987". + + diff --git a/src/or/channeltls.c b/src/or/channeltls.c index 4943054f5..9a290778f 100644 --- a/src/or/channeltls.c +++ b/src/or/channeltls.c @@ -1208,6 +1208,14 @@ channel_tls_process_versions_cell(var_cell_t *cell, channel_tls_t *chan) tor_assert(chan); tor_assert(chan->conn); + if ((cell->payload_len % 2) == 1) { + log_fn(LOG_PROTOCOL_WARN, LD_OR, + "Received a VERSION cell with odd payload length %d; " + "closing connection.",cell->payload_len); + connection_or_close_for_error(chan->conn, 0); + return; + } + started_here = connection_or_nonopen_was_started_here(chan->conn); if (chan->conn->link_proto != 0 || |