10365: Close connections if the VERSIONS cell has an odd length.

author rl1987 <rl1987@sdf.lonestar.org>

Tue, 24 Dec 2013 19:50:58 +0000 (21:50 +0200)

committer Nick Mathewson <nickm@torproject.org>

Mon, 3 Feb 2014 18:14:27 +0000 (13:14 -0500)
author rl1987 <rl1987@sdf.lonestar.org>
Tue, 24 Dec 2013 19:50:58 +0000 (21:50 +0200)
committer Nick Mathewson <nickm@torproject.org>
Mon, 3 Feb 2014 18:14:27 +0000 (13:14 -0500)
diff --git a/changes/bug10365 b/changes/bug10365

new file mode 100644 (file)

index 0000000..f7a1515
--- /dev/null
+++ b/changes/bug10365
@@ -0,0 +1,7 @@
+  o Minor bugfixes:
+
+    - When receving a VERSIONS cell with an odd number of bytes, close
+      the connection immediately. Fix for bug 10365; bugfix on
+      0.2.0.10-alpha. Spotted by "bobnomnom"; fix by "rl1987".
+
+
diff --git a/src/or/channeltls.c b/src/or/channeltls.c

index 4943054f5641655e21052963584255ad7080eba5..9a290778f537da0c68f6beba2eb108b832390329 100644 (file)
--- a/src/or/channeltls.c
+++ b/src/or/channeltls.c
@@ -1208,6 +1208,14 @@ channel_tls_process_versions_cell(var_cell_t *cell, channel_tls_t *chan)
    tor_assert(chan);
    tor_assert(chan->conn);
  
+  if ((cell->payload_len % 2) == 1) {
+    log_fn(LOG_PROTOCOL_WARN, LD_OR,
+           "Received a VERSION cell with odd payload length %d; "
+           "closing connection.",cell->payload_len);
+    connection_or_close_for_error(chan->conn, 0);
+    return;
+  }
+
    started_here = connection_or_nonopen_was_started_here(chan->conn);
  
    if (chan->conn->link_proto != 0 ||
author	rl1987 <rl1987@sdf.lonestar.org>
	Tue, 24 Dec 2013 19:50:58 +0000 (21:50 +0200)
committer	Nick Mathewson <nickm@torproject.org>
	Mon, 3 Feb 2014 18:14:27 +0000 (13:14 -0500)
changes/bug10365	[new file with mode: 0644]	patch \| blob
src/or/channeltls.c		patch \| blob \| blame \| history