commit 3fadc074caa2f69b9d4ef17339a42dc9fbe4ad9e Author: Stephen Palmateer stephen.palmateer@gmail.com Date: Wed Dec 21 12:48:38 2011 -0500

Remove (untriggerable) overflow in crypto_random_hostname()

Fixes bug 4413; bugfix on xxxx.

Hostname components cannot be larger than 63 characters. This simple check makes certain randlen cannot overflow rand_bytes_len. --- changes/bug4413 | 2 ++ src/common/crypto.c | 8 ++++++++ 2 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/changes/bug4413 b/changes/bug4413 new file mode 100644 index 0000000..653ddeb --- /dev/null +++ b/changes/bug4413 @@ -0,0 +1,2 @@ +Minor bugfixes: + - Check for a potential, however unlikely, integer overflow. Fixes bug 4413; Bugfix on 0.2.3.9-alpha. diff --git a/src/common/crypto.c b/src/common/crypto.c index 673fc0c..9ee3d98 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -82,6 +82,9 @@ #include "sha256.c" #define SHA256_Final(a,b) sha256_done(b,a)

+/* Bug 4413*/ +#define MAX_HOSTNAME_SIZE 63 + static unsigned char * SHA256(const unsigned char *m, size_t len, unsigned char *d) { @@ -2554,7 +2557,12 @@ crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix, size_t resultlen, prefixlen;

tor_assert(max_rand_len >= min_rand_len); + randlen = min_rand_len + crypto_rand_int(max_rand_len - min_rand_len + 1); + if (randlen > MAX_HOSTNAME_SIZE) { + randlen = MAX_HOSTNAME_SIZE; + } + prefixlen = strlen(prefix); resultlen = prefixlen + strlen(suffix) + randlen + 16;