Merge remote-tracking branch 'teor/bug8976_01_028'

changes/bug8976

@@ -0,0 +1,5 @@
+  o Minor bugfixes (security, hidden services):
+    - Prevent hidden services connecting to client-supplied rendezvous
+      addresses that are reserved as internal or multicast.
+      Fixes bug 8976; bugfix on b7c172c9e in tor-0.2.3.21.
+      Patch by "dgoulet" and "teor".

src/or/circuitbuild.c

@@ -2419,3 +2419,18 @@ build_state_get_exit_nickname(cpath_build_state_t *state)
   return state->chosen_exit->nickname;
 }
 
+/** Return true iff the given address can be used to extend to. */
+int extend_info_addr_is_allowed(const tor_addr_t *addr)
+{
+  tor_assert(addr);
+
+  /* Check if we have a private address and if we can extend to it. */
+  if ((tor_addr_is_internal(addr, 0) || tor_addr_is_multicast(addr)) &&
+      !get_options()->ExtendAllowPrivateAddresses) {
+    goto disallow;
+  }
+  /* Allowed! */
+  return 1;
+ disallow:
+  return 0;
+}

src/or/circuitbuild.h

@@ -53,6 +53,7 @@ extend_info_t *extend_info_new(const char *nickname, const char *digest,
 extend_info_t *extend_info_from_node(const node_t *r, int for_direct_connect);
 extend_info_t *extend_info_dup(extend_info_t *info);
 void extend_info_free(extend_info_t *info);
+int extend_info_addr_is_allowed(const tor_addr_t *addr);
 const node_t *build_state_get_exit_node(cpath_build_state_t *state);
 const char *build_state_get_exit_nickname(cpath_build_state_t *state);
 

src/or/rendservice.c

@@ -1818,6 +1818,18 @@ find_rp_for_intro(const rend_intro_cell_t *intro,
     goto err;
   }
 
+  /* Make sure the RP we are being asked to connect to is _not_ a private
+   * address unless it's allowed. Let's avoid to build a circuit to our
+   * second middle node and fail right after when extending to the RP. */
+  if (!extend_info_addr_is_allowed(&rp->addr)) {
+    if (err_msg_out) {
+      tor_asprintf(&err_msg,
+                   "Relay IP in INTRODUCE2 cell is private address.");
+    }
+    extend_info_free(rp);
+    rp = NULL;
+    goto err;
+  }
   goto done;
 
  err: