From: Sebastian Hahn <sebastian@torproject.org>
Date: Sat, 26 Sep 2009 13:41:52 +0000 (+0200)
Subject: Make sure we can't overflow in connection_ap_handshake_send_resolve
X-Git-Tag: tor-0.2.2.4-alpha~26
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6a68b5059710d96767a7c7c7acd6a1e0bc933874;p=thirdparty%2Ftor.git

Make sure we can't overflow in connection_ap_handshake_send_resolve

Found by Coverity
---

diff --git a/ChangeLog b/ChangeLog
index 451a20c30d..c79c865efa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -19,6 +19,8 @@ Changes in version 0.2.2.4-alpha - 2009-??-??
       on 0.2.2.1-alpha.
     - Fix two memory leaks in the error case of
       circuit_build_times_parse_state. Bugfix on 0.2.2.2-alpha.
+    - Make it explicit that we can't overflow in
+      connection_ap_handshake_send_resolve. Bugfix on 0.0.7.1-1.
 
 Changes in version 0.2.2.3-alpha - 2009-09-23
   o Major bugfixes:
diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c
index f25202725e..0e6297a50a 100644
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -2156,8 +2156,9 @@ connection_ap_handshake_send_resolve(edge_connection_t *ap_conn)
     tor_assert(payload_len <= (int)sizeof(inaddr_buf));
   }
 
-  if (payload_len > RELAY_PAYLOAD_SIZE) {
+  if (payload_len > MAX_SOCKS_ADDR_LEN) {
     /* This should be impossible: we don't accept addresses this big. */
+    /* XXX Should we log a bug here? */
     connection_mark_unattached_ap(ap_conn, END_STREAM_REASON_INTERNAL);
     return -1;
   }