nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-24 04:13:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

r15273@tombo: nickm | 2008-04-22 12:32:28 -0400

Browse Source 
apply patch from lodger: reject requests for reverse-dns lookup of names in private address space.  make non-exits reject all dns requests.  Fixes bug 619.


svn:r14410
This commit is contained in:
Nick Mathewson 2008-04-22 16:32:55 +00:00
parent 6e979489dc
commit ef9c34688c
2 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog
View File

@ -29,6 +29,8 @@ Changes in version 0.2.1.1-alpha - 2008-??-??
nwf, bugfix on 0.2.0.16-alpha. nwf, bugfix on 0.2.0.16-alpha.
- Warn less verbosely about clock skew from netinfo cells from - Warn less verbosely about clock skew from netinfo cells from
untrusted sources. Fixes bug 663. untrusted sources. Fixes bug 663.
- Non-exit relays no longer allow DNS requests. Fixes bug 619.
Patch from Lodger.
o Minor features: o Minor features:
- Allow separate log levels to be configured for different logging - Allow separate log levels to be configured for different logging
@ -61,7 +63,12 @@ Changes in version 0.2.1.1-alpha - 2008-??-??
descriptors we need to keep around when we're cleaning out old descriptors we need to keep around when we're cleaning out old
router descriptors. This speeds up the computation significantly, and router descriptors. This speeds up the computation significantly, and
may reduce fragmentation. may reduce fragmentation.
- Make dumpstats() log the fullness and size of openssl-internal buffers. - Make dumpstats() log the fullness and size of openssl-internal
buffers.
o Minor features (security):
- Reject requests for reverse-dns lookup of names in a private
address space. Patch from Lodger.
o Code simplifications and refactoring: o Code simplifications and refactoring:
- Refactor code using connection_ap_handshake_attach_circuit() to - Refactor code using connection_ap_handshake_attach_circuit() to

14
src/or/dns.c
View File

@ -549,9 +549,14 @@ dns_resolve(edge_connection_t *exitconn)
or_circuit_t *oncirc = TO_OR_CIRCUIT(exitconn->on_circuit); or_circuit_t *oncirc = TO_OR_CIRCUIT(exitconn->on_circuit);
int is_resolve, r; int is_resolve, r;
char *hostname = NULL; char *hostname = NULL;
routerinfo_t *me = router_get_my_routerinfo();
is_resolve = exitconn->_base.purpose == EXIT_PURPOSE_RESOLVE; is_resolve = exitconn->_base.purpose == EXIT_PURPOSE_RESOLVE;
r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname); if (is_resolve && me &&
policy_is_reject_star(me->exit_policy)) /* non-exit */
r = -1;
else
r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname);
switch (r) { switch (r) {
case 1: case 1:
/* We got an answer without a lookup -- either the answer was /* We got an answer without a lookup -- either the answer was
@ -660,9 +665,12 @@ dns_resolve_impl(edge_connection_t *exitconn, int is_resolve,
* .in-addr.arpa address but this isn't a resolve request, kill the * .in-addr.arpa address but this isn't a resolve request, kill the
* connection. * connection.
*/ */
if ((r = parse_inaddr_arpa_address(exitconn->_base.address, NULL)) != 0) { if ((r = parse_inaddr_arpa_address(exitconn->_base.address, &in)) != 0) {
if (r == 1) if (r == 1) {
is_reverse = 1; is_reverse = 1;
if (is_internal_IP(ntohl(in.s_addr), 0)) /* internal address */
return -1;
}
if (!is_reverse || !is_resolve) { if (!is_reverse || !is_resolve) {
if (!is_reverse) if (!is_reverse)