When a SOCKS5 server sends back a reply, it encodes an "address", which can be IPv4 (4 bytes), IPv6 (16 bytes) or "a domain name", which has a lenght (1 byte) and "a string of length <length>" - so when copying bytes, we need to hande "length +1" bytes.
Our code totally doesn't use this variant of addresses, but since this has been pointed out by "tpw_rules" in Trac, fix it, so if/when someone works on this again, the foundation is correct. Reported-By: tpw_rules in Trac Trac: #848 Signed-off-by: Gert Doering <g...@greenie.muc.de> --- src/openvpn/socks.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c index 57f0cee2..aff62746 100644 --- a/src/openvpn/socks.c +++ b/src/openvpn/socks.c @@ -381,7 +381,10 @@ recv_socks_reply(socket_descriptor_t sd, break; case '\x03': /* DOMAINNAME */ - alen = (unsigned char) c; + /* RFC 1928, section 5: 1 byte length, <n> bytes name, + * so the total "address length" is (length+1) + */ + alen = (unsigned char) c +1; break; case '\x04': /* IP V6 */ -- 2.26.2 _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel