diff options
| author | Nick Mathewson <nickm@torproject.org> | 2010-01-20 12:36:14 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2010-01-20 13:09:10 -0500 |
| commit | d4354b506be924853cae838881202b205b4d45f2 (patch) | |
| tree | 6bb2302e91777f60580bcf57201b433e66a98f69 | |
| parent | c939509051f90d7276355783b255d4a15730efab (diff) | |
| download | tor-d4354b506be924853cae838881202b205b4d45f2.tar.gz tor-d4354b506be924853cae838881202b205b4d45f2.zip | |
Don't use OutboundBindAddress to connect to localhost
The OutboundBindAddress option is useful for making sure that all of
your outbond connections use a given interface. But when connecting
to 127.0.0.1 (or ::1 even) it's important to actually have the
connection come _from_ localhost, since lots of programs running on
localhost use the source address to authenticate that the connection
is really coming from the same host.
Our old code always bound to OutboundBindAddress, whether connecting
to localhost or not. This would potentially break DNS servers on
localhost, and socks proxies on localhost. This patch changes the
behavior so that we only look at OutboundBindAddress when connecting
to a non-loopback address.
| -rw-r--r-- | ChangeLog | 8 | ||||
| -rw-r--r-- | src/or/connection.c | 2 | ||||
| -rw-r--r-- | src/or/eventdns.c | 18 |
3 files changed, 26 insertions, 2 deletions
@@ -1,3 +1,11 @@ +Changes in version 0.2.2.8-alpha - 2010-??-?? + o Minor bugfixes: + - Ignore OutboundBindAddress when connecting to localhost. + Connections to localhost need to come _from_ localhost, or else + local servers (like DNS and outgoing HTTP/SOCKS proxies) will often + refuse to listen. + + Changes in version 0.2.1.23 - 2010-0?-?? o Major bugfixes (performance): - We were selecting our guards uniformly at random, and then weighting diff --git a/src/or/connection.c b/src/or/connection.c index 6506cf81fd..eeb25c1828 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -1236,7 +1236,7 @@ connection_connect(connection_t *conn, const char *address, return -1; } - if (options->OutboundBindAddress) { + if (options->OutboundBindAddress && !tor_addr_is_loopback(addr)) { struct sockaddr_in ext_addr; memset(&ext_addr, 0, sizeof(ext_addr)); diff --git a/src/or/eventdns.c b/src/or/eventdns.c index 83bff671aa..a504224c54 100644 --- a/src/or/eventdns.c +++ b/src/or/eventdns.c @@ -2239,6 +2239,21 @@ evdns_resume(void) } static int +sockaddr_is_loopback(const struct sockaddr *addr) +{ + static const char LOOPBACK_S6[16] = + "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1"; + if (addr->sa_family == AF_INET) { + struct sockaddr_in *sin = (struct sockaddr_in *)addr; + return (ntohl(sin->sin_addr.s_addr) & 0xff000000) == 0x7f000000; + } else if (addr->sa_family == AF_INET6) { + struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)addr; + return !memcmp(sin6->sin6_addr.s6_addr, LOOPBACK_S6, 16); + } + return 0; +} + +static int _evdns_nameserver_add_impl(const struct sockaddr *address, socklen_t addrlen) { /* first check to see if we already have this nameserver */ @@ -2279,7 +2294,8 @@ _evdns_nameserver_add_impl(const struct sockaddr *address, fcntl(ns->socket, F_SETFL, O_NONBLOCK); #endif - if (global_bind_addr_is_set) { + if (global_bind_addr_is_set && + !sockaddr_is_loopback((struct sockaddr*)&global_bind_address)) { if (bind(ns->socket, (struct sockaddr *)&global_bind_address, global_bind_addrlen) < 0) { log(EVDNS_LOG_DEBUG, "Couldn't bind to outgoing address."); |