When a SOCKS5 server sends back a reply, it encodes an "address",
which can be IPv4 (4 bytes), IPv6 (16 bytes) or "a domain name",
which has a lenght (1 byte) and "a string of length <length>" - so
when copying bytes, we need to hande "length +1" bytes.
Our code totally doesn't use this variant of addresses, but since
this has been pointed out by "tpw_rules" in Trac, fix it, so if/when
someone works on this again, the foundation is correct.
Reported-By: tpw_rules in Trac
Trac: #848
Signed-off-by: Gert Doering <g...@greenie.muc.de>
---
src/openvpn/socks.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index 57f0cee2..aff62746 100644
--- a/src/openvpn/socks.c
+++ b/src/openvpn/socks.c
@@ -381,7 +381,10 @@ recv_socks_reply(socket_descriptor_t sd,
break;
case '\x03': /* DOMAINNAME */
- alen = (unsigned char) c;
+ /* RFC 1928, section 5: 1 byte length, <n> bytes name,
+ * so the total "address length" is (length+1)
+ */
+ alen = (unsigned char) c +1;
break;
case '\x04': /* IP V6 */
--
2.26.2
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
