[tor-bugs] #18710 [Tor]: dnsserv.c asserts when no supported questions are requested
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Apr 3 05:36:03 UTC 2016
#18710: dnsserv.c asserts when no supported questions are requested
---------------------------+------------------------------------
Reporter: geekmug | Owner:
Type: defect | Status: new
Priority: Very High | Milestone:
Component: Tor | Version: Tor: 0.2.7.6
Severity: Normal | Keywords: dns dnsport tor-client
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
---------------------------+------------------------------------
The patch for #10268 has a simple crasher that is easily exploited from
the network if DNSPort is open to a LAN (e.g., if you are transparent
proxying).
As [ticket:10268 #comment:11 andrea] hinted at, the added "if (!q) q =
req->questions[i];" to the for loop ensures that "q" is always set to the
first question, even if it's unsupported. In which case, the "if (!q)"
check for NOTIMPL is dead code. Ultimately, you will eventually hit the
"tor_assert" that was added to the "else" branch. Additionally, the
"switch" block switches on "req->questions[i]->type", but the assignment
to "supported_q" is "q" (which is always the first question) instead of
"req->questions[i]", so it doesn't actually pick the first supported
question -- it always picks the first question.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18710>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list