Remove a check in channeltls.c that could never fail.

We were checking whether a 8-bit length field had overflowed a
503-byte buffer. Unless somebody has found a way to store "504" in a
single byte, it seems unlikely.

Fix for 10313 and 9980. Based on a pach by Jared L Wong. First found
by David Fifield with STACK.

diff --git a/changes/bug10313 b/changes/bug10313
new file mode 100644 (file)
index 0000000..b29d4da
--- /dev/null
+++ b/changes/bug10313
@@ -0,0 +1,8 @@
+  o Minor bugfixes:
+    - Fixed an erroneous pointer comparison that would have allowed
+      compilers to remove a bounds check in channeltls.c. The fix
+      was to remove the check entirely, since it was impossible for
+      the code to overflow the bounds. Noticed by Jared L
+      Wong. Fixes bug 10313 and 9980. Bugfix on 0.2.0.10-alpha.
+
+

diff --git a/src/or/channeltls.c b/src/or/channeltls.c
index f751c0da9918e6dd42091f13464daf3151e643e4..e622f2fe3aad18dcb9a239d235ce3acdfda83bb3 100644 (file)
--- a/src/or/channeltls.c
+++ b/src/or/channeltls.c
@@ -1408,12 +1408,14 @@ channel_tls_process_netinfo_cell(cell_t *cell, channel_tls_t *chan)
   my_addr_ptr = (uint8_t*) cell->payload + 6;
   end = cell->payload + CELL_PAYLOAD_SIZE;
   cp = cell->payload + 6 + my_addr_len;
-  if (cp >= end) {
-    log_fn(LOG_PROTOCOL_WARN, LD_OR,
-           "Addresses too long in netinfo cell; closing connection.");
-    connection_or_close_for_error(chan->conn, 0);
-    return;
-  } else if (my_addr_type == RESOLVED_TYPE_IPV4 && my_addr_len == 4) {
+
+  /* We used to check:
+   *    if (my_addr_len >= CELL_PAYLOAD_SIZE - 6) {
+   *
+   * This is actually never going to happen, since my_addr_len is at most 255,
+   * and CELL_PAYLOAD_LEN - 6 is 503.  So we know that cp is < end. */
+
+  if (my_addr_type == RESOLVED_TYPE_IPV4 && my_addr_len == 4) {
     tor_addr_from_ipv4n(&my_apparent_addr, get_uint32(my_addr_ptr));
   } else if (my_addr_type == RESOLVED_TYPE_IPV6 && my_addr_len == 16) {
     tor_addr_from_ipv6_bytes(&my_apparent_addr, (const char *) my_addr_ptr);