backport candidate:

The "ClientDNSRejectInternalAddresses" config option wasn't being consistently obeyed: if an exit relay refuses a stream because its exit policy doesn't allow it, we would remember what IP address the relay said the destination address resolves to, even if it's an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv. svn:r17135
2024-11-10 05:03:43 +01:00 · 2008-10-17 22:08:49 +00:00 · 2008-10-17 22:08:49 +00:00 · bca46cc628
commit bca46cc628
parent e3127e874e
2 changed files with 13 additions and 3 deletions
--- a/9
+++ b/9
@ -1,4 +1,11 @@
 Changes in version 0.2.1.7-alpha - 2008-10-xx
+  o Security fixes:
+    - The "ClientDNSRejectInternalAddresses" config option wasn't being
+      consistently obeyed: if an exit relay refuses a stream because its
+      exit policy doesn't allow it, we would remember what IP address
+      the relay said the destination address resolves to, even if it's
+      an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
+
  o Minor features:
    - Now NodeFamily and MyFamily config options allow spaces in
      identity fingerprints, so it's easier to paste them in.
@ -122,7 +129,7 @@ Changes in version 0.2.1.6-alpha - 2008-09-30
    - If we overrun our per-second write limits a little, count this as
      having used up our write allocation for the second, and choke
      outgoing directory writes. Previously, we had only counted this when
-      we had met our limits precisely. Fixes bug 824. Patch from by rovv.
+      we had met our limits precisely. Fixes bug 824. Patch by rovv.
      Bugfix on 0.2.0.x (??).
    - Avoid a "0 divided by 0" calculation when calculating router uptime
      at directory authorities. Bugfix on 0.2.0.8-alpha.
--- a/src/or/relay.c
+++ b/src/or/relay.c
@ -630,8 +630,11 @@ connection_edge_process_end_not_open(
            ttl = (int)ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+5));
          else
            ttl = -1;
-          client_dns_set_addressmap(conn->socks_request->address, addr,
-                                    conn->chosen_exit_name, ttl);
+
+          if (!(get_options()->ClientDNSRejectInternalAddresses &&
+                                           is_internal_IP(addr, 0)))
+            client_dns_set_addressmap(conn->socks_request->address, addr,
+                                      conn->chosen_exit_name, ttl);
        }
        /* check if he *ought* to have allowed it */
        if (exitrouter &&