mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-10 05:03:43 +01:00
r15273@tombo: nickm | 2008-04-22 12:32:28 -0400
apply patch from lodger: reject requests for reverse-dns lookup of names in private address space. make non-exits reject all dns requests. Fixes bug 619. svn:r14410
This commit is contained in:
parent
6e979489dc
commit
ef9c34688c
@ -29,6 +29,8 @@ Changes in version 0.2.1.1-alpha - 2008-??-??
|
||||
nwf, bugfix on 0.2.0.16-alpha.
|
||||
- Warn less verbosely about clock skew from netinfo cells from
|
||||
untrusted sources. Fixes bug 663.
|
||||
- Non-exit relays no longer allow DNS requests. Fixes bug 619.
|
||||
Patch from Lodger.
|
||||
|
||||
o Minor features:
|
||||
- Allow separate log levels to be configured for different logging
|
||||
@ -61,7 +63,12 @@ Changes in version 0.2.1.1-alpha - 2008-??-??
|
||||
descriptors we need to keep around when we're cleaning out old
|
||||
router descriptors. This speeds up the computation significantly, and
|
||||
may reduce fragmentation.
|
||||
- Make dumpstats() log the fullness and size of openssl-internal buffers.
|
||||
- Make dumpstats() log the fullness and size of openssl-internal
|
||||
buffers.
|
||||
|
||||
o Minor features (security):
|
||||
- Reject requests for reverse-dns lookup of names in a private
|
||||
address space. Patch from Lodger.
|
||||
|
||||
o Code simplifications and refactoring:
|
||||
- Refactor code using connection_ap_handshake_attach_circuit() to
|
||||
|
14
src/or/dns.c
14
src/or/dns.c
@ -549,9 +549,14 @@ dns_resolve(edge_connection_t *exitconn)
|
||||
or_circuit_t *oncirc = TO_OR_CIRCUIT(exitconn->on_circuit);
|
||||
int is_resolve, r;
|
||||
char *hostname = NULL;
|
||||
routerinfo_t *me = router_get_my_routerinfo();
|
||||
is_resolve = exitconn->_base.purpose == EXIT_PURPOSE_RESOLVE;
|
||||
|
||||
r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname);
|
||||
if (is_resolve && me &&
|
||||
policy_is_reject_star(me->exit_policy)) /* non-exit */
|
||||
r = -1;
|
||||
else
|
||||
r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname);
|
||||
switch (r) {
|
||||
case 1:
|
||||
/* We got an answer without a lookup -- either the answer was
|
||||
@ -660,9 +665,12 @@ dns_resolve_impl(edge_connection_t *exitconn, int is_resolve,
|
||||
* .in-addr.arpa address but this isn't a resolve request, kill the
|
||||
* connection.
|
||||
*/
|
||||
if ((r = parse_inaddr_arpa_address(exitconn->_base.address, NULL)) != 0) {
|
||||
if (r == 1)
|
||||
if ((r = parse_inaddr_arpa_address(exitconn->_base.address, &in)) != 0) {
|
||||
if (r == 1) {
|
||||
is_reverse = 1;
|
||||
if (is_internal_IP(ntohl(in.s_addr), 0)) /* internal address */
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!is_reverse || !is_resolve) {
|
||||
if (!is_reverse)
|
||||
|
Loading…
Reference in New Issue
Block a user