Add explicit check for 0-length extend2 cells

This is harmless in the Tor of today, but important for correctness.

Fixes bug 10536; bugfix on 0.2.4.8-alpha. Reported by "cypherpunks".

diff --git a/changes/bug10536 b/changes/bug10536
new file mode 100644 (file)
index 0000000..e15da7c
--- /dev/null
+++ b/changes/bug10536
@@ -0,0 +1,6 @@
+
+  o Minor bugfixes:
+    - Reject 0-lenth EXTEND2 cells more expicitly. Previously our code would
+      reject them a bit later than it should have. This bug is
+      harmless. Fixes bug 10536; bugfix on 0.2.4.8-alpha. Reported by
+      "cypherpunks".

diff --git a/src/or/onion.c b/src/or/onion.c
index 3e1d63d4e2b8224667e7349d198aa6cdb8cdea4a..30b983d91ec4301c00789f3a36594d4e98f3b6be 100644 (file)
--- a/src/or/onion.c
+++ b/src/or/onion.c
@@ -860,14 +860,17 @@ extend_cell_parse(extend_cell_t *cell_out, const uint8_t command,
     }
   case RELAY_COMMAND_EXTEND2:
     {
-      uint8_t n_specs = *payload, spectype, speclen;
+      uint8_t n_specs, spectype, speclen;
       int i;
       int found_ipv4 = 0, found_ipv6 = 0, found_id = 0;
       tor_addr_make_unspec(&cell_out->orport_ipv4.addr);
       tor_addr_make_unspec(&cell_out->orport_ipv6.addr);
 
+      if (payload_length == 0)
+        return -1;
+
       cell_out->cell_type = RELAY_COMMAND_EXTEND2;
-      ++payload;
+      n_specs = *payload++;
       /* Parse the specifiers. We'll only take the first IPv4 and first IPv6
        * address, and the node ID, and ignore everything else */
       for (i = 0; i < n_specs; ++i) {