commit 48bdc2f729cba1a22305f6150d230cf0334ebd55 Author: Nick Mathewson nickm@torproject.org Date: Mon Apr 18 13:53:13 2011 -0700
Correct HS descriptor length check
Fixes bug 2948. --- changes/bug2948 | 7 +++++++ src/or/routerparse.c | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/changes/bug2948 b/changes/bug2948 new file mode 100644 index 0000000..640ef62 --- /dev/null +++ b/changes/bug2948 @@ -0,0 +1,7 @@ + o Minor bugfixes + - Only limit the lengths of single HS descriptors, even when + multiple HS descriptors are published to an HSDir relay in a + single POST operation. Fixes bug 2948; bugfix on 0.2.1.5-alpha. + Found by hsdir. + + diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 8456a0a..dd72eb6 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -4638,12 +4638,12 @@ rend_parse_v2_service_descriptor(rend_service_descriptor_t **parsed_out, else eos = eos + 1; /* Check length. */ - if (strlen(desc) > REND_DESC_MAX_SIZE) { + if (eos-desc > REND_DESC_MAX_SIZE) { /* XXX023 If we are parsing this descriptor as a server, this * should be a protocol warning. */ log_warn(LD_REND, "Descriptor length is %i which exceeds " "maximum rendezvous descriptor size of %i bytes.", - (int)strlen(desc), REND_DESC_MAX_SIZE); + (int)(eos-desc), REND_DESC_MAX_SIZE); goto err; } /* Tokenize descriptor. */