[tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
Roger Dingledine
arma at mit.edu
Mon Jan 30 09:45:34 UTC 2012
On Thu, Jan 26, 2012 at 10:42:53PM +0100, Ondrej Mikle wrote:
> Also, this seems to be a bug in
> relay.c:connection_edge_process_relay_cell_not_open(), the
> RELAY_COMMAND_RESOLVED case:
>
> answer_len = cell->payload[RELAY_HEADER_SIZE+1];
> if (rh->length < 2 || answer_len+2>rh->length) {...}
>
> Payload is accessed before checking bounds.
cell->payload is a fixed-size array. It's going to be there no matter
what values are in it.
Unless I'm misunderstanding you?
--Roger
More information about the tor-dev
mailing list