r13602@Kushana: nickm | 2007-07-07 23:44:24 -0400

Backport candidate: fix a possible buffer overrun when using natd support on old BSDs. Based on a patch from "Mr. Croup". svn:r10760
author: Nick Mathewson <nickm@torproject.org> 2007-07-08 03:45:47 +0000
committer: Nick Mathewson <nickm@torproject.org> 2007-07-08 03:45:47 +0000
commit: 10e5ed1a848e4663790d9b26b3c882dbb014a671 (patch)
tree: 184e0acdcc9daca0075823dcb57d6becced002e0 /src/or
parent: db3a4bf8976da8f4048d213a0cfe9e269c65a0e5 (diff)
download: tor-10e5ed1a848e4663790d9b26b3c882dbb014a671.tar
tor-10e5ed1a848e4663790d9b26b3c882dbb014a671.tar.gz
1 files changed, 8 insertions, 4 deletions
diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c
index 78625a5ff..e95fd893a 100644
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -1702,10 +1702,14 @@ connection_ap_process_natd(edge_connection_t *conn)
   }
 
   daddr = tbuf = &tmp_buf[0] + 6; /* after end of "[DEST " */
-  while (*tbuf != '\0' && *tbuf != ' ')
-    tbuf++;
-  *tbuf = '\0';
-  tbuf++;
+  if (!(tbuf = strchr(tbuf, ' '))) {
+    log_warn(LD_APP,"Natd handshake was ill-formed; closing. The client "
+             "said: %s",
+             escaped(tmp_buf));
+    connection_mark_unattached_ap(conn, END_STREAM_REASON_INVALID_NATD_DEST);
+    return -1;
+  }
+  *tbuf++ = '\0';
 
   /* pretend that a socks handshake completed so we don't try to
    * send a socks reply down a natd conn */
author	Nick Mathewson <nickm@torproject.org>	2007-07-08 03:45:47 +0000
committer	Nick Mathewson <nickm@torproject.org>	2007-07-08 03:45:47 +0000
commit	10e5ed1a848e4663790d9b26b3c882dbb014a671 (patch)
tree	184e0acdcc9daca0075823dcb57d6becced002e0 /src/or
parent	db3a4bf8976da8f4048d213a0cfe9e269c65a0e5 (diff)
download	tor-10e5ed1a848e4663790d9b26b3c882dbb014a671.tar tor-10e5ed1a848e4663790d9b26b3c882dbb014a671.tar.gz