[tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
Ondrej Mikle
ondrej.mikle at gmail.com
Tue Jan 31 01:16:10 UTC 2012
On 01/30/2012 10:45 AM, Roger Dingledine wrote:
> On Thu, Jan 26, 2012 at 10:42:53PM +0100, Ondrej Mikle wrote:
>> Also, this seems to be a bug in
>> relay.c:connection_edge_process_relay_cell_not_open(), the
>> RELAY_COMMAND_RESOLVED case:
>>
>> answer_len = cell->payload[RELAY_HEADER_SIZE+1];
>> if (rh->length < 2 || answer_len+2>rh->length) {...}
>>
>> Payload is accessed before checking bounds.
>
> cell->payload is a fixed-size array. It's going to be there no matter
> what values are in it.
>
> Unless I'm misunderstanding you?
You're right. For some reason I thought it was malloc-ed buffer, but it's not.
Ondrej
More information about the tor-dev
mailing list