Fixed buffer bounds check bug in tor_addr_to_str

diff --git a/src/common/address.c b/src/common/address.c
index b41456f8def57b16c7b73f8904673776be5f63c6..54ea5df86226fb7d07bc9de244eef19d237351ee 100644 (file)
--- a/src/common/address.c
+++ b/src/common/address.c
@@ -350,15 +350,21 @@ tor_addr_to_str(char *dest, const tor_addr_t *addr, size_t len, int decorate)
 
   switch (tor_addr_family(addr)) {
     case AF_INET:
-      if (len<3)
+      /* Shortest addr x.x.x.x + \0 */
+      if (len < 8)
         return NULL;
-        ptr = tor_inet_ntop(AF_INET, &addr->addr.in_addr, dest, len);
+      ptr = tor_inet_ntop(AF_INET, &addr->addr.in_addr, dest, len);
       break;
     case AF_INET6:
+      /* Shortest addr [ :: ] + \0 */
+      if (len < (3 + (decorate ? 2 : 0)))
+        return NULL;
+
       if (decorate)
         ptr = tor_inet_ntop(AF_INET6, &addr->addr.in6_addr, dest+1, len-2);
       else
         ptr = tor_inet_ntop(AF_INET6, &addr->addr.in6_addr, dest, len);
+
       if (ptr && decorate) {
         *dest = '[';
         memcpy(dest+strlen(dest), "]", 2);