diff options
| author | Nick Mathewson <nickm@torproject.org> | 2014-01-03 10:43:09 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2014-01-03 10:43:09 -0500 |
| commit | 90303602773eca8505229c832119dafcbcfe1ab7 (patch) | |
| tree | 5b9104029074f6e01e2b03e90a712a02c50abe08 | |
| parent | 573ee36eae63962f5af162a7f732fe4459513c94 (diff) | |
| download | tor-90303602773eca8505229c832119dafcbcfe1ab7.tar tor-90303602773eca8505229c832119dafcbcfe1ab7.tar.gz | |
Add explicit check for 0-length extend2 cells
This is harmless in the Tor of today, but important for correctness.
Fixes bug 10536; bugfix on 0.2.4.8-alpha. Reported by "cypherpunks".
| -rw-r--r-- | changes/bug10536 | 6 | ||||
| -rw-r--r-- | src/or/onion.c | 7 |
2 files changed, 11 insertions, 2 deletions
diff --git a/changes/bug10536 b/changes/bug10536 new file mode 100644 index 000000000..e15da7c0f --- /dev/null +++ b/changes/bug10536 @@ -0,0 +1,6 @@ + + o Minor bugfixes: + - Reject 0-lenth EXTEND2 cells more expicitly. Previously our code would + reject them a bit later than it should have. This bug is + harmless. Fixes bug 10536; bugfix on 0.2.4.8-alpha. Reported by + "cypherpunks". diff --git a/src/or/onion.c b/src/or/onion.c index 3e1d63d4e..30b983d91 100644 --- a/src/or/onion.c +++ b/src/or/onion.c @@ -860,14 +860,17 @@ extend_cell_parse(extend_cell_t *cell_out, const uint8_t command, } case RELAY_COMMAND_EXTEND2: { - uint8_t n_specs = *payload, spectype, speclen; + uint8_t n_specs, spectype, speclen; int i; int found_ipv4 = 0, found_ipv6 = 0, found_id = 0; tor_addr_make_unspec(&cell_out->orport_ipv4.addr); tor_addr_make_unspec(&cell_out->orport_ipv6.addr); + if (payload_length == 0) + return -1; + cell_out->cell_type = RELAY_COMMAND_EXTEND2; - ++payload; + n_specs = *payload++; /* Parse the specifiers. We'll only take the first IPv4 and first IPv6 * address, and the node ID, and ignore everything else */ for (i = 0; i < n_specs; ++i) { |