diff options
| author | Nick Mathewson <nickm@torproject.org> | 2013-03-11 12:29:28 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2013-03-11 12:29:28 -0400 |
| commit | b9037521c6ba333178c3f3197c39be360aba229c (patch) | |
| tree | e24dd7977917516d5671a540a931a477da23210f /src/or/channeltls.c | |
| parent | 0196647970a91d2bdb052f38b3749dd0e99348e4 (diff) | |
| download | tor-b9037521c6ba333178c3f3197c39be360aba229c.tar tor-b9037521c6ba333178c3f3197c39be360aba229c.tar.gz | |
Fix a framing bug when reading versions from a versions cell.
Our ++ should have been += 2. This means that we'd accept version
numbers even when they started at an odd position.
This bug should be harmless in practice for so long as every version
number we allow begins with a 0 byte, but if we ever have a version
number starting with 1, 2, 3, or 4, there will be trouble here.
Fix for bug 8059, reported pseudonymously. Bugfix on 0.2.0.10-alpha
-- specifically, commit 6fcda529, where during development I
increased the width of a version to 16 bits without changing the
loop step.
Diffstat (limited to 'src/or/channeltls.c')
| -rw-r--r-- | src/or/channeltls.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/or/channeltls.c b/src/or/channeltls.c index 1035a1412..60693daeb 100644 --- a/src/or/channeltls.c +++ b/src/or/channeltls.c @@ -1208,7 +1208,7 @@ channel_tls_process_versions_cell(var_cell_t *cell, channel_tls_t *chan) tor_assert(chan->conn->handshake_state); end = cell->payload + cell->payload_len; - for (cp = cell->payload; cp+1 < end; ++cp) { + for (cp = cell->payload; cp+1 < end; cp += 2) { uint16_t v = ntohs(get_uint16(cp)); if (is_or_protocol_version_known(v) && v > highest_supported_version) highest_supported_version = v; |