Do not truncate too long hostnames

If a hostname is supplied to tor-resolve which is too long, it will be
silently truncated, resulting in a different hostname lookup:

$ tor-resolve $(python -c 'print("google.com" + "m" * 256)')

If tor-resolve uses SOCKS5, the length is stored in an unsigned char,
which overflows in this case and leads to the hostname "google.com".
As this one is a valid hostname, it returns an address instead of giving
an error due to the invalid supplied hostname.

diff --git a/src/tools/tor-resolve.c b/src/tools/tor-resolve.c
index 29f85c4d17ee6de7381fa53440d1594b657e89c0..6ac866d3c0e70bb128e64f7bafb8074a59170fab 100644 (file)
--- a/src/tools/tor-resolve.c
+++ b/src/tools/tor-resolve.c
@@ -80,6 +80,10 @@ build_socks_resolve_request(char **out,
     }
     ipv6 = reverse && tor_addr_family(&addr) == AF_INET6;
     addrlen = reverse ? (ipv6 ? 16 : 4) : 1 + strlen(hostname);
+    if (addrlen > UINT8_MAX) {
+      log_err(LD_GENERAL, "Hostname is too long!");
+      return -1;
+    }
     len = 6 + addrlen;
     *out = tor_malloc(len);
     (*out)[0] = 5; /* SOCKS version 5 */