Commit 10e5ed1a authored by Nick Mathewson's avatar Nick Mathewson 🤹
Browse files

r13602@Kushana: nickm | 2007-07-07 23:44:24 -0400 

 Backport candidate: fix a possible buffer overrun when using natd support on old BSDs.  Based on a patch from "Mr. Croup".


svn:r10760
parent db3a4bf8

ChangeLog

+4 −0
Original line number Diff line number Diff line
@@ -66,6 +66,10 @@ Changes in version 0.2.0.3-alpha - 2007-??-?? 
      never choose any guards past it. This way we don't expand our

      guard list unless we need to. [Bugfix in 0.1.2.x]



  o Security fixes (BSD natd support):

    - Fix a possible buffer overrun when using BSD natd support.  Bug found

      by croup.





Changes in version 0.2.0.2-alpha - 2007-06-02

  o Major bugfixes on 0.2.0.1-alpha:

src/or/connection_edge.c

+8 −4
Original line number Diff line number Diff line
@@ -1702,10 +1702,14 @@ connection_ap_process_natd(edge_connection_t *conn) 
  }



  daddr = tbuf = &tmp_buf[0] + 6; /* after end of "[DEST " */

  while (*tbuf != '\0' && *tbuf != ' ')

    tbuf++;

  *tbuf = '\0';

  tbuf++;

  if (!(tbuf = strchr(tbuf, ' '))) {

    log_warn(LD_APP,"Natd handshake was ill-formed; closing. The client "

             "said: %s",

             escaped(tmp_buf));

    connection_mark_unattached_ap(conn, END_STREAM_REASON_INVALID_NATD_DEST);

    return -1;

  }

  *tbuf++ = '\0';



  /* pretend that a socks handshake completed so we don't try to

   * send a socks reply down a natd conn */