From: Anders Sundman <anders@4zm.org>
Date: Fri, 11 Nov 2011 06:53:58 +0000 (+0100)
Subject: Fixed buffer bounds check bug in tor_addr_to_str
X-Git-Tag: tor-0.2.3.8-alpha~43^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=930eed21c37d94c2f9c2b2a0f66135f554ce5079;p=thirdparty%2Ftor.git

Fixed buffer bounds check bug in tor_addr_to_str
---

diff --git a/src/common/address.c b/src/common/address.c
index b41456f8de..54ea5df862 100644
--- a/src/common/address.c
+++ b/src/common/address.c
@@ -350,15 +350,21 @@ tor_addr_to_str(char *dest, const tor_addr_t *addr, size_t len, int decorate)
 
   switch (tor_addr_family(addr)) {
     case AF_INET:
-      if (len<3)
+      /* Shortest addr x.x.x.x + \0 */
+      if (len < 8)
         return NULL;
-        ptr = tor_inet_ntop(AF_INET, &addr->addr.in_addr, dest, len);
+      ptr = tor_inet_ntop(AF_INET, &addr->addr.in_addr, dest, len);
       break;
     case AF_INET6:
+      /* Shortest addr [ :: ] + \0 */
+      if (len < (3 + (decorate ? 2 : 0)))
+        return NULL;
+
       if (decorate)
         ptr = tor_inet_ntop(AF_INET6, &addr->addr.in6_addr, dest+1, len-2);
       else
         ptr = tor_inet_ntop(AF_INET6, &addr->addr.in6_addr, dest, len);
+
       if (ptr && decorate) {
         *dest = '[';
         memcpy(dest+strlen(dest), "]", 2);