[or-cvs] r17135: {tor} backport candidate: The "ClientDNSRejectInternalAddresses" c (in tor/trunk: . src/or)

arma at seul.org arma at seul.org
Fri Oct 17 22:08:49 UTC 2008 

Author: arma
Date: 2008-10-17 18:08:49 -0400 (Fri, 17 Oct 2008)
New Revision: 17135

Modified:
   tor/trunk/ChangeLog
   tor/trunk/src/or/relay.c
Log:
backport candidate:
The "ClientDNSRejectInternalAddresses" config option wasn't being
consistently obeyed: if an exit relay refuses a stream because its
exit policy doesn't allow it, we would remember what IP address
the relay said the destination address resolves to, even if it's
an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.


Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog	2008-10-17 19:05:51 UTC (rev 17134)
+++ tor/trunk/ChangeLog	2008-10-17 22:08:49 UTC (rev 17135)
@@ -1,4 +1,11 @@
 Changes in version 0.2.1.7-alpha - 2008-10-xx
+  o Security fixes:
+    - The "ClientDNSRejectInternalAddresses" config option wasn't being
+      consistently obeyed: if an exit relay refuses a stream because its
+      exit policy doesn't allow it, we would remember what IP address
+      the relay said the destination address resolves to, even if it's
+      an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
+
   o Minor features:
     - Now NodeFamily and MyFamily config options allow spaces in
       identity fingerprints, so it's easier to paste them in.
@@ -122,7 +129,7 @@
     - If we overrun our per-second write limits a little, count this as
       having used up our write allocation for the second, and choke
       outgoing directory writes. Previously, we had only counted this when
-      we had met our limits precisely. Fixes bug 824. Patch from by rovv.
+      we had met our limits precisely. Fixes bug 824. Patch by rovv.
       Bugfix on 0.2.0.x (??).
     - Avoid a "0 divided by 0" calculation when calculating router uptime
       at directory authorities. Bugfix on 0.2.0.8-alpha.

Modified: tor/trunk/src/or/relay.c
===================================================================
--- tor/trunk/src/or/relay.c	2008-10-17 19:05:51 UTC (rev 17134)
+++ tor/trunk/src/or/relay.c	2008-10-17 22:08:49 UTC (rev 17135)
@@ -630,8 +630,11 @@
             ttl = (int)ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+5));
           else
             ttl = -1;
-          client_dns_set_addressmap(conn->socks_request->address, addr,
-                                    conn->chosen_exit_name, ttl);
+
+          if (!(get_options()->ClientDNSRejectInternalAddresses &&
+                                           is_internal_IP(addr, 0)))
+            client_dns_set_addressmap(conn->socks_request->address, addr,
+                                      conn->chosen_exit_name, ttl);
         }
         /* check if he *ought* to have allowed it */
         if (exitrouter &&

More information about the tor-commits mailing list