[tor/master] Fixed buffer bounds check bug in tor_addr_to_str - tor-commits

11 Nov 2011

commit 930eed21c37d94c2f9c2b2a0f66135f554ce5079
Author: Anders Sundman anders@4zm.org
Date:   Fri Nov 11 07:53:58 2011 +0100
Fixed buffer bounds check bug in tor_addr_to_str
---
 src/common/address.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/common/address.c b/src/common/address.c
index b41456f..54ea5df 100644
--- a/src/common/address.c
+++ b/src/common/address.c
@@ -350,15 +350,21 @@ tor_addr_to_str(char *dest, const tor_addr_t *addr, size_t len, int decorate)
switch (tor_addr_family(addr)) {
     case AF_INET:
-      if (len<3)
+      /* Shortest addr x.x.x.x + \0 */
+      if (len < 8)
         return NULL;
-        ptr = tor_inet_ntop(AF_INET, &addr->addr.in_addr, dest, len);
+      ptr = tor_inet_ntop(AF_INET, &addr->addr.in_addr, dest, len);
       break;
     case AF_INET6:
+      /* Shortest addr [ :: ] + \0 */
+      if (len < (3 + (decorate ? 2 : 0)))
+        return NULL;
+
       if (decorate)
         ptr = tor_inet_ntop(AF_INET6, &addr->addr.in6_addr, dest+1, len-2);
       else
         ptr = tor_inet_ntop(AF_INET6, &addr->addr.in6_addr, dest, len);
+
       if (ptr && decorate) {
         *dest = '[';
         memcpy(dest+strlen(dest), "]", 2);

    