nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-11 05:33:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Ensure controller RESOLVE commands respect __LeaveStreamsUnattached

Browse Source 
https://trac.torproject.org/projects/tor/ticket/1525

"The codepath taken by the control port "RESOLVE" command to create a
synthetic SOCKS resolve request isn't the same as the path taken by
a real SOCKS request from 'tor-resolve'.
This prevents controllers who set LeaveStreamsUnattached=1 from
being able to attach RESOLVE streams to circuits of their choosing."

Create a new function connection_ap_rewrite_and_attach_if_allowed()
and call that when Tor needs to attach a stream to a circuit but
needs to know if the controller permits it.

No tests added.
This commit is contained in:
Robert Hogan 2010-08-06 20:29:15 +01:00
parent f060b18e6c
commit 462568674a
4 changed files with 39 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
changes/bug1525 Normal file
View File

@ -0,0 +1,4 @@
o Minor bugfixes:
- Ensure DNS requests launched by "RESOLVE" commands from the controller
respect __LeaveStreamsUnattached. Bugfix on 0.2.2.14-alpha;
fixes bug 1525.

37
src/or/connection_edge.c
View File

@ -1408,6 +1408,23 @@ consider_plaintext_ports(edge_connection_t *conn, uint16_t port)
* different one? */ * different one? */
#define TRACKHOSTEXITS_RETRIES 5 #define TRACKHOSTEXITS_RETRIES 5
/** Call connection_ap_handshake_rewrite_and_attach() unless a controller
* asked us to leave streams unattached.
*/
int
connection_ap_rewrite_and_attach_if_allowed(edge_connection_t *conn,
origin_circuit_t *circ,
crypt_path_t *cpath)
{
or_options_t *options = get_options();
if (options->LeaveStreamsUnattached) {
conn->_base.state = AP_CONN_STATE_CONTROLLER_WAIT;
return 0;
}
return connection_ap_handshake_rewrite_and_attach(conn, circ, cpath);
}
/** Connection <b>conn</b> just finished its socks handshake, or the /** Connection <b>conn</b> just finished its socks handshake, or the
* controller asked us to take care of it. If <b>circ</b> is defined, * controller asked us to take care of it. If <b>circ</b> is defined,
* then that's where we'll want to attach it. Otherwise we have to * then that's where we'll want to attach it. Otherwise we have to
@ -1908,11 +1925,7 @@ connection_ap_handshake_process_socks(edge_connection_t *conn)
else else
control_event_stream_status(conn, STREAM_EVENT_NEW_RESOLVE, 0); control_event_stream_status(conn, STREAM_EVENT_NEW_RESOLVE, 0);
if (options->LeaveStreamsUnattached) { return connection_ap_rewrite_and_attach_if_allowed(conn, NULL, NULL);
conn->_base.state = AP_CONN_STATE_CONTROLLER_WAIT;
return 0;
}
return connection_ap_handshake_rewrite_and_attach(conn, NULL, NULL);
} }
/** connection_init_accepted_conn() found a new trans AP conn. /** connection_init_accepted_conn() found a new trans AP conn.
@ -1926,7 +1939,6 @@ int
connection_ap_process_transparent(edge_connection_t *conn) connection_ap_process_transparent(edge_connection_t *conn)
{ {
socks_request_t *socks; socks_request_t *socks;
or_options_t *options = get_options();
tor_assert(conn); tor_assert(conn);
tor_assert(conn->_base.type == CONN_TYPE_AP); tor_assert(conn->_base.type == CONN_TYPE_AP);
@ -1950,11 +1962,7 @@ connection_ap_process_transparent(edge_connection_t *conn)
control_event_stream_status(conn, STREAM_EVENT_NEW, 0); control_event_stream_status(conn, STREAM_EVENT_NEW, 0);
if (options->LeaveStreamsUnattached) { return connection_ap_rewrite_and_attach_if_allowed(conn, NULL, NULL);
conn->_base.state = AP_CONN_STATE_CONTROLLER_WAIT;
return 0;
}
return connection_ap_handshake_rewrite_and_attach(conn, NULL, NULL);
} }
/** connection_edge_process_inbuf() found a conn in state natd_wait. See if /** connection_edge_process_inbuf() found a conn in state natd_wait. See if
@ -1975,7 +1983,6 @@ connection_ap_process_natd(edge_connection_t *conn)
size_t tlen = 30; size_t tlen = 30;
int err, port_ok; int err, port_ok;
socks_request_t *socks; socks_request_t *socks;
or_options_t *options = get_options();
tor_assert(conn); tor_assert(conn);
tor_assert(conn->_base.type == CONN_TYPE_AP); tor_assert(conn->_base.type == CONN_TYPE_AP);
@ -2031,13 +2038,9 @@ connection_ap_process_natd(edge_connection_t *conn)
control_event_stream_status(conn, STREAM_EVENT_NEW, 0); control_event_stream_status(conn, STREAM_EVENT_NEW, 0);
if (options->LeaveStreamsUnattached) {
conn->_base.state = AP_CONN_STATE_CONTROLLER_WAIT;
return 0;
}
conn->_base.state = AP_CONN_STATE_CIRCUIT_WAIT; conn->_base.state = AP_CONN_STATE_CIRCUIT_WAIT;
return connection_ap_handshake_rewrite_and_attach(conn, NULL, NULL); return connection_ap_rewrite_and_attach_if_allowed(conn, NULL, NULL);
} }
/** Iterate over the two bytes of stream_id until we get one that is not /** Iterate over the two bytes of stream_id until we get one that is not

3
src/or/connection_edge.h
View File

@ -79,6 +79,9 @@ void client_dns_set_addressmap(const char *address, uint32_t val,
const char *addressmap_register_virtual_address(int type, char *new_address); const char *addressmap_register_virtual_address(int type, char *new_address);
void addressmap_get_mappings(smartlist_t *sl, time_t min_expires, void addressmap_get_mappings(smartlist_t *sl, time_t min_expires,
time_t max_expires, int want_expiry); time_t max_expires, int want_expiry);
int connection_ap_rewrite_and_attach_if_allowed(edge_connection_t *conn,
origin_circuit_t *circ,
crypt_path_t *cpath);
int connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn, int connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
origin_circuit_t *circ, origin_circuit_t *circ,
crypt_path_t *cpath); crypt_path_t *cpath);

22
src/or/dnsserv.c
View File

@ -141,16 +141,17 @@ evdns_server_callback(struct evdns_server_request *req, void *_data)
control_event_stream_status(conn, STREAM_EVENT_NEW, 0); control_event_stream_status(conn, STREAM_EVENT_NEW, 0);
/* Now, throw the connection over to get rewritten (which will answer it /* Now, unless a controller asked us to leave streams unattached,
* immediately if it's in the cache, or completely bogus, or automapped), * throw the connection over to get rewritten (which will
* and then attached to a circuit. */ * answer it immediately if it's in the cache, or completely bogus, or
* automapped), and then attached to a circuit. */
log_info(LD_APP, "Passing request for %s to rewrite_and_attach.", log_info(LD_APP, "Passing request for %s to rewrite_and_attach.",
escaped_safe_str_client(q->name)); escaped_safe_str_client(q->name));
q_name = tor_strdup(q->name); /* q could be freed in rewrite_and_attach */ q_name = tor_strdup(q->name); /* q could be freed in rewrite_and_attach */
connection_ap_handshake_rewrite_and_attach(conn, NULL, NULL); connection_ap_rewrite_and_attach_if_allowed(conn, NULL, NULL);
/* Now, the connection is marked if it was bad. */ /* Now, the connection is marked if it was bad. */
log_info(LD_APP, "Passed request for %s to rewrite_and_attach.", log_info(LD_APP, "Passed request for %s to rewrite_and_attach_if_allowed.",
escaped_safe_str_client(q_name)); escaped_safe_str_client(q_name));
tor_free(q_name); tor_free(q_name);
} }
@ -186,16 +187,17 @@ dnsserv_launch_request(const char *name, int reverse)
return -1; return -1;
} }
/* Now, throw the connection over to get rewritten (which will answer it /* Now, unless a controller asked us to leave streams unattached,
* immediately if it's in the cache, or completely bogus, or automapped), * throw the connection over to get rewritten (which will
* and then attached to a circuit. */ * answer it immediately if it's in the cache, or completely bogus, or
* automapped), and then attached to a circuit. */
log_info(LD_APP, "Passing request for %s to rewrite_and_attach.", log_info(LD_APP, "Passing request for %s to rewrite_and_attach.",
escaped_safe_str_client(name)); escaped_safe_str_client(name));
q_name = tor_strdup(name); /* q could be freed in rewrite_and_attach */ q_name = tor_strdup(name); /* q could be freed in rewrite_and_attach */
connection_ap_handshake_rewrite_and_attach(conn, NULL, NULL); connection_ap_rewrite_and_attach_if_allowed(conn, NULL, NULL);
/* Now, the connection is marked if it was bad. */ /* Now, the connection is marked if it was bad. */
log_info(LD_APP, "Passed request for %s to rewrite_and_attach.", log_info(LD_APP, "Passed request for %s to rewrite_and_attach_if_allowed.",
escaped_safe_str_client(q_name)); escaped_safe_str_client(q_name));
tor_free(q_name); tor_free(q_name);
return 0; return 0;