[tor-commits] [tor/master] Avoid a use-after-null-check in proto_socks.c

[nickm at torproject.org]

commit 8505522e508c8d2379afbd86154a910948cf8c70
Author: Nick Mathewson <nickm at torproject.org>
Date:   Mon Jul 16 07:51:11 2018 -0400

    Avoid a use-after-null-check in proto_socks.c
    
    Coverity rightly complains that early in the function we're checking
    whether username is NULL, and later we're passing it unconditionally
    to strlen().
    
    Fixes CID 1437967.  Bug not in any released Tor.
---
 src/core/proto/proto_socks.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/core/proto/proto_socks.c b/src/core/proto/proto_socks.c
index 9cc9568a4..ccf96f781 100644
--- a/src/core/proto/proto_socks.c
+++ b/src/core/proto/proto_socks.c
@@ -166,7 +166,7 @@ parse_socks4_request(const uint8_t *raw_data, socks_request_t *req,
   *is_socks4a = (dest_ip >> 8) == 0;
 
   const char *username = socks4_client_request_get_username(trunnel_req);
-  size_t usernamelen = username ? strlen(username) : 0;
+  const size_t usernamelen = username ? strlen(username) : 0;
   if (username && usernamelen) {
     if (usernamelen > MAX_SOCKS_MESSAGE_LEN) {
       log_warn(LD_APP, "Socks4 user name too long; rejecting.");
@@ -184,7 +184,7 @@ parse_socks4_request(const uint8_t *raw_data, socks_request_t *req,
     // We cannot rely on trunnel here, as we want to detect if
     // we have abnormally long hostname field.
     const char *hostname = (char *)raw_data + SOCKS4_NETWORK_LEN +
-     strlen(username) + 1;
+     usernamelen + 1;
     size_t hostname_len = (char *)raw_data + datalen - hostname;
 
     if (hostname_len <= sizeof(req->address)) {