From cb1617f18e94b244dc0847658e006057040dcc37 Mon Sep 17 00:00:00 2001
From: Roger Dingledine <arma@mit.edu>
Date: Fri, 12 Jun 2009 11:18:02 -0400
Subject: [PATCH] Check answer_len in the remap_addr case of
 process_relay_cell_not_open.

Fix an edge case where a malicious exit relay could convince a
controller that the client's DNS question resolves to an internal IP
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
---
 ChangeLog      | 5 +++++
 src/or/relay.c | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 3afc590258..4d43e7a6f3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,9 @@
 Changes in version 0.2.2.1-alpha - 2009-??-??
+  o Security fixes:
+    - Fix an edge case where a malicious exit relay could convince a
+      controller that the client's DNS question resolves to an internal IP
+      address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
+
   o Major features:
     - Add support for dynamic OpenSSL hardware crypto acceleration engines
       via new AccelName and AccelDir options.
diff --git a/src/or/relay.c b/src/or/relay.c
index 4e09c0040b..e9baac6a45 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -947,7 +947,7 @@ connection_edge_process_relay_cell_not_open(
                    cell->payload+RELAY_HEADER_SIZE+2, /*answer*/
                    ttl,
                    -1);
-    if (answer_type == RESOLVED_TYPE_IPV4) {
+    if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) {
       uint32_t addr = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+2));
       remap_event_helper(conn, addr);
     }