[or-cvs] Handle relay cells with rh.length too large.
Nick Mathewson
nickm at seul.org
Tue May 17 20:00:27 UTC 2005
Update of /home/or/cvsroot/tor/src/or
In directory moria.mit.edu:/tmp/cvs-serv29623/src/or
Modified Files:
relay.c
Log Message:
Handle relay cells with rh.length too large.
Index: relay.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/relay.c,v
retrieving revision 1.68
retrieving revision 1.69
diff -u -d -r1.68 -r1.69
--- relay.c 3 May 2005 10:17:38 -0000 1.68
+++ relay.c 17 May 2005 20:00:24 -0000 1.69
@@ -779,6 +779,11 @@
num_seen++;
log_fn(LOG_DEBUG,"Now seen %d relay cells here.", num_seen);
+ if (rh.length > RELAY_PAYLOAD_SIZE) {
+ log_fn(LOG_WARN, "Relay cell length field too long. Closing circuit.");
+ return -1;
+ }
+
/* either conn is NULL, in which case we've got a control cell, or else
* conn points to the recognized stream. */
More information about the tor-commits
mailing list