tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE
commit 81446c9a98e25e5f67c277f12e90958e3a63ec33
parent 71a1e5dfa4b495cba3e3e5a26b06a5a42ae93ba9
Author: David Goulet <dgoulet@torproject.org>
Date:   Wed, 28 Jan 2026 09:00:40 -0500

Merge branch 'maint-0.4.8'

Diffstat:

Achanges/bug41180 | 5+++++


Achanges/ticket_41190 | 4++++


Msrc/core/or/onion.c | 4++++


Msrc/core/proto/proto_socks.c | 19++++++++-----------


4 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/changes/bug41180 b/changes/bug41180
@@ -0,0 +1,5 @@
+  o Major bugfixes (security):
+    - Avoid an out-of-bounds read error that could occur with
+      V1-formatted cells on Tor 0.4.9.3-alpha or later.
+      Fixes bug 41180; bugfix on 0.4.9.3-alpha.
+      This is tracked as TROVE-2025-016.
diff --git a/changes/ticket_41190 b/changes/ticket_41190
@@ -0,0 +1,4 @@
+  o Code simplification and refactoring:
+    - Simplify SOCKS4a parsing to avoid the (false) appearance of
+      integer underflows, and to make the logic more obvious.
+      Fixes bug 41190; bugfix on 0.3.5.1-alpha.
diff --git a/src/core/or/onion.c b/src/core/or/onion.c
@@ -420,6 +420,10 @@ extended_cell_parse(extended_cell_t *cell_out,
     return -1;
   case RELAY_COMMAND_EXTENDED2:
     {
+      if (payload_len < 2) {
+        // Prevent underflow below.
+        return -1;
+      }
       cell_out->cell_type = RELAY_COMMAND_EXTENDED2;
       cell_out->created_cell.cell_type = CELL_CREATED2;
       cell_out->created_cell.handshake_len = ntohs(get_uint16(payload));
diff --git a/src/core/proto/proto_socks.c b/src/core/proto/proto_socks.c
@@ -186,18 +186,15 @@ parse_socks4_request(const uint8_t *raw_data, socks_request_t *req,
   }
 
   if (*is_socks4a) {
-    // We cannot rely on trunnel here, as we want to detect if
-    // we have abnormally long hostname field.
-    const char *hostname = (char *)raw_data + SOCKS4_NETWORK_LEN +
-     usernamelen + 1;
-    size_t hostname_len = (char *)raw_data + datalen - hostname;
-
-    if (hostname_len <= sizeof(req->address)) {
-      const char *trunnel_hostname =
+    const char *trunnel_hostname =
       socks4_client_request_get_socks4a_addr_hostname(trunnel_req);
-
-      if (trunnel_hostname)
-        strlcpy(req->address, trunnel_hostname, sizeof(req->address));
+    if (BUG(!trunnel_hostname)) {
+      res = SOCKS_RESULT_INVALID;
+      goto end;
+    }
+    size_t hostname_len = strlen(trunnel_hostname);
+    if (hostname_len < sizeof(req->address)) {
+      strlcpy(req->address, trunnel_hostname, sizeof(req->address));
     } else {
       log_warn(LD_APP, "socks4: Destaddr too long. Rejecting.");
       res = SOCKS_RESULT_INVALID;