[tor-bugs] #10536 [Tor]: extend_cell_parse: don't try to parse payload if zero length
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jan 2 00:49:31 UTC 2014
#10536: extend_cell_parse: don't try to parse payload if zero length
-------------------------+---------------------
Reporter: cypherpunks | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version:
Keywords: | Actual Points:
Parent ID: | Points:
-------------------------+---------------------
If payload length for EXTEND2 cell is zero then extend_cell_parse() still
tries to parse it by:
{{{
uint8_t n_specs = *payload
}}}
This bug should be harmless as
{{{
if (eop - payload < 2)
}}}
still true.
Fixed code should be looking like:
{{{
uint8_t n_specs = 0;
...
if (eop - payload > 0)
++payload;
...
}}}
or
{{{
uint8_t n_specs;
...
if (eop - payload < 1)
return -1;
cell_out->cell_type = RELAY_COMMAND_EXTEND2;
++payload;
}}}
or like dropping cell for any cell type if zero length.
{{{
int
extend_cell_parse(extend_cell_t *cell_out, const uint8_t command,
const uint8_t *payload, size_t payload_length)
{
const uint8_t *eop;
memset(cell_out, 0, sizeof(*cell_out));
if (payload_length > RELAY_PAYLOAD_SIZE || 0 == payload_length)
return -1;
}}}
or something.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10536>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list