diff --git a/changes/bug20261 b/changes/bug20261 new file mode 100644 index 0000000000..dfdd15924b --- /dev/null +++ b/changes/bug20261 @@ -0,0 +1,4 @@ + o Minor bugfixes (client, unix domain sockets): + - Disable IsolateClientAddr when using AF_UNIX backed SocksPorts + as the client address is meaningless. Fixes bug 20261; bugfix on + 0.2.6.3-alpha. diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 9f4eb31445..354478a42e 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1046,8 +1046,9 @@ The following options are useful only for clients (that is, if another. Recognized isolation flags are: **IsolateClientAddr**;; Don't share circuits with streams from a different - client address. (On by default and strongly recommended; - you can disable it with **NoIsolateClientAddr**.) + client address. (On by default and strongly recommended when + supported; you can disable it with **NoIsolateClientAddr**. + Unsupported and force-disabled when using Unix domain sockets.) **IsolateSOCKSAuth**;; Don't share circuits with streams for which different SOCKS authentication was provided. (On by default; diff --git a/src/common/address.c b/src/common/address.c index 15ee3dbd17..dae1800919 100644 --- a/src/common/address.c +++ b/src/common/address.c @@ -1041,6 +1041,10 @@ tor_addr_copy_tight(tor_addr_t *dest, const tor_addr_t *src) * Different address families (IPv4 vs IPv6) are always considered unequal if * how is CMP_EXACT; otherwise, IPv6-mapped IPv4 addresses are * considered equivalent to their IPv4 equivalents. + * + * As a special case, all AF_UNIX addresses are always considered equal + * since tor_addr_t currently does not contain the information required to + * make the comparison. */ int tor_addr_compare(const tor_addr_t *addr1, const tor_addr_t *addr2, @@ -1114,6 +1118,18 @@ tor_addr_compare_masked(const tor_addr_t *addr1, const tor_addr_t *addr2, return 0; } } + case AF_UNIX: + /* HACKHACKHACKHACKHACK: + * tor_addr_t doesn't contain a copy of sun_path, so it's not + * possible to comapre this at all. + * + * Since the only time we currently actually should be comparing + * 2 AF_UNIX addresses is when dealing with ISO_CLIENTADDR (which + * is diesabled for AF_UNIX SocksPorts anyway), this just returns 0. + * + * See: #20261. + */ + return 0; default: /* LCOV_EXCL_START */ tor_fragile_assert(); diff --git a/src/or/config.c b/src/or/config.c index 18cbe34be3..93e753bb49 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -6838,6 +6838,13 @@ parse_port_config(smartlist_t *out, goto err; } + if (unix_socket_path && (isolation & ISO_CLIENTADDR)) { + /* `IsolateClientAddr` is nonsensical in the context of AF_LOCAL. + * just silently remove the isolation flag. + */ + isolation &= ~ISO_CLIENTADDR; + } + if (out && port) { size_t namelen = unix_socket_path ? strlen(unix_socket_path) : 0; port_cfg_t *cfg = port_cfg_new(namelen);