r13602@Kushana: nickm | 2007-07-07 23:44:24 -0400

Backport candidate: fix a possible buffer overrun when using natd support on old BSDs.  Based on a patch from "Mr. Croup".


svn:r10760

ChangeLog

@@ -66,6 +66,10 @@ Changes in version 0.2.0.3-alpha - 2007-??-??
       never choose any guards past it. This way we don't expand our
       guard list unless we need to. [Bugfix in 0.1.2.x]
 
+  o Security fixes (BSD natd support):
+    - Fix a possible buffer overrun when using BSD natd support.  Bug found
+      by croup.
+
 
 Changes in version 0.2.0.2-alpha - 2007-06-02
   o Major bugfixes on 0.2.0.1-alpha:

src/or/connection_edge.c

@@ -1702,10 +1702,14 @@ connection_ap_process_natd(edge_connection_t *conn)
   }
 
   daddr = tbuf = &tmp_buf[0] + 6; /* after end of "[DEST " */
-  while (*tbuf != '\0' && *tbuf != ' ')
-    tbuf++;
-  *tbuf = '\0';
-  tbuf++;
+  if (!(tbuf = strchr(tbuf, ' '))) {
+    log_warn(LD_APP,"Natd handshake was ill-formed; closing. The client "
+             "said: %s",
+             escaped(tmp_buf));
+    connection_mark_unattached_ap(conn, END_STREAM_REASON_INVALID_NATD_DEST);
+    return -1;
+  }
+  *tbuf++ = '\0';
 
   /* pretend that a socks handshake completed so we don't try to
    * send a socks reply down a natd conn */