diff options
| author | Roger Dingledine <arma@torproject.org> | 2008-10-17 22:08:49 +0000 |
|---|---|---|
| committer | Roger Dingledine <arma@torproject.org> | 2008-10-17 22:08:49 +0000 |
| commit | bca46cc628dc2a76d32b70359ffba21c567bb705 (patch) | |
| tree | 844e26df8d7284f505cc4a318c60a0eed4aae2dc | |
| parent | e3127e874eafd473d8f09b0429a2db7ed4852f93 (diff) | |
| download | tor-bca46cc628dc2a76d32b70359ffba21c567bb705.tar.gz tor-bca46cc628dc2a76d32b70359ffba21c567bb705.zip | |
backport candidate:
The "ClientDNSRejectInternalAddresses" config option wasn't being
consistently obeyed: if an exit relay refuses a stream because its
exit policy doesn't allow it, we would remember what IP address
the relay said the destination address resolves to, even if it's
an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
svn:r17135
| -rw-r--r-- | ChangeLog | 9 | ||||
| -rw-r--r-- | src/or/relay.c | 7 |
2 files changed, 13 insertions, 3 deletions
@@ -1,4 +1,11 @@ Changes in version 0.2.1.7-alpha - 2008-10-xx + o Security fixes: + - The "ClientDNSRejectInternalAddresses" config option wasn't being + consistently obeyed: if an exit relay refuses a stream because its + exit policy doesn't allow it, we would remember what IP address + the relay said the destination address resolves to, even if it's + an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv. + o Minor features: - Now NodeFamily and MyFamily config options allow spaces in identity fingerprints, so it's easier to paste them in. @@ -122,7 +129,7 @@ Changes in version 0.2.1.6-alpha - 2008-09-30 - If we overrun our per-second write limits a little, count this as having used up our write allocation for the second, and choke outgoing directory writes. Previously, we had only counted this when - we had met our limits precisely. Fixes bug 824. Patch from by rovv. + we had met our limits precisely. Fixes bug 824. Patch by rovv. Bugfix on 0.2.0.x (??). - Avoid a "0 divided by 0" calculation when calculating router uptime at directory authorities. Bugfix on 0.2.0.8-alpha. diff --git a/src/or/relay.c b/src/or/relay.c index 8b68c8cf75..5bb712bf19 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -630,8 +630,11 @@ connection_edge_process_end_not_open( ttl = (int)ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+5)); else ttl = -1; - client_dns_set_addressmap(conn->socks_request->address, addr, - conn->chosen_exit_name, ttl); + + if (!(get_options()->ClientDNSRejectInternalAddresses && + is_internal_IP(addr, 0))) + client_dns_set_addressmap(conn->socks_request->address, addr, + conn->chosen_exit_name, ttl); } /* check if he *ought* to have allowed it */ if (exitrouter && |