Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#10536 closed defect (fixed)

extend_cell_parse: don't try to parse payload if zero length

Reported by: cypherpunks Owned by:
Priority: Medium Milestone: Tor: 0.2.5.x-final
Component: Core Tor/Tor Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

If payload length for EXTEND2 cell is zero then extend_cell_parse() still tries to parse it by:

uint8_t n_specs = *payload

This bug should be harmless as

 if (eop - payload < 2)

still true.

Fixed code should be looking like:

uint8_t n_specs = 0;
...
if (eop - payload > 0)
  ++payload;
...

or

uint8_t n_specs;
...
if (eop - payload < 1)
  return -1;
cell_out->cell_type = RELAY_COMMAND_EXTEND2;
++payload;

or like dropping cell for any cell type if zero length.

int
extend_cell_parse(extend_cell_t *cell_out, const uint8_t command,
                  const uint8_t *payload, size_t payload_length)
{
  const uint8_t *eop;

  memset(cell_out, 0, sizeof(*cell_out));
  if (payload_length > RELAY_PAYLOAD_SIZE || 0 == payload_length)
    return -1;

or something.

Child Tickets

Change History (2)

comment:1 Changed 6 years ago by nickm

Milestone: Tor: 0.2.5.x-final
Resolution: fixed
Status: newclosed

Fixed in 90303602773eca8505229c832119dafcbcfe1ab7

comment:2 Changed 6 years ago by cypherpunks

Fixed in

Nobody cares. Everyone continues to use oftc with ombudsman-censor.

Note: See TracTickets for help on using tickets.