mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-20 10:12:15 +01:00
Check answer_len in the remap_addr case of process_relay_cell_not_open.
Fix an edge case where a malicious exit relay could convince a controller that the client's DNS question resolves to an internal IP address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
This commit is contained in:
parent
c50098ffc5
commit
845326317d
@ -1,4 +1,9 @@
|
||||
Changes in version 0.2.1.16-?? - 2009-??-??
|
||||
o Security fixes:
|
||||
- Fix an edge case where a malicious exit relay could convince a
|
||||
controller that the client's DNS question resolves to an internal IP
|
||||
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
|
||||
|
||||
o Major performance improvements (on 0.2.0.x):
|
||||
- Disable and refactor some debugging checks that forced a linear scan
|
||||
over the whole server-side DNS cache. These accounted for over 50%
|
||||
|
@ -947,7 +947,7 @@ connection_edge_process_relay_cell_not_open(
|
||||
cell->payload+RELAY_HEADER_SIZE+2, /*answer*/
|
||||
ttl,
|
||||
-1);
|
||||
if (answer_type == RESOLVED_TYPE_IPV4) {
|
||||
if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) {
|
||||
uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2));
|
||||
remap_event_helper(conn, addr);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user