diff options
| author | Nick Mathewson <nickm@torproject.org> | 2008-04-22 16:32:55 +0000 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2008-04-22 16:32:55 +0000 |
| commit | ef9c34688cb87731b392e9602c0fc817a5d84eab (patch) | |
| tree | b621be72c16d9e3cd5b20953f3e17c8b7f918840 | |
| parent | 6e979489dce903fdbb086d749e84f43bdb8baaa5 (diff) | |
| download | tor-ef9c34688cb87731b392e9602c0fc817a5d84eab.tar.gz tor-ef9c34688cb87731b392e9602c0fc817a5d84eab.zip | |
r15273@tombo: nickm | 2008-04-22 12:32:28 -0400
apply patch from lodger: reject requests for reverse-dns lookup of names in private address space. make non-exits reject all dns requests. Fixes bug 619.
svn:r14410
| -rw-r--r-- | ChangeLog | 9 | ||||
| -rw-r--r-- | src/or/dns.c | 14 |
2 files changed, 19 insertions, 4 deletions
@@ -29,6 +29,8 @@ Changes in version 0.2.1.1-alpha - 2008-??-?? nwf, bugfix on 0.2.0.16-alpha. - Warn less verbosely about clock skew from netinfo cells from untrusted sources. Fixes bug 663. + - Non-exit relays no longer allow DNS requests. Fixes bug 619. + Patch from Lodger. o Minor features: - Allow separate log levels to be configured for different logging @@ -61,7 +63,12 @@ Changes in version 0.2.1.1-alpha - 2008-??-?? descriptors we need to keep around when we're cleaning out old router descriptors. This speeds up the computation significantly, and may reduce fragmentation. - - Make dumpstats() log the fullness and size of openssl-internal buffers. + - Make dumpstats() log the fullness and size of openssl-internal + buffers. + + o Minor features (security): + - Reject requests for reverse-dns lookup of names in a private + address space. Patch from Lodger. o Code simplifications and refactoring: - Refactor code using connection_ap_handshake_attach_circuit() to diff --git a/src/or/dns.c b/src/or/dns.c index e6347c5e00..041ae74bc0 100644 --- a/src/or/dns.c +++ b/src/or/dns.c @@ -549,9 +549,14 @@ dns_resolve(edge_connection_t *exitconn) or_circuit_t *oncirc = TO_OR_CIRCUIT(exitconn->on_circuit); int is_resolve, r; char *hostname = NULL; + routerinfo_t *me = router_get_my_routerinfo(); is_resolve = exitconn->_base.purpose == EXIT_PURPOSE_RESOLVE; - r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname); + if (is_resolve && me && + policy_is_reject_star(me->exit_policy)) /* non-exit */ + r = -1; + else + r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname); switch (r) { case 1: /* We got an answer without a lookup -- either the answer was @@ -660,9 +665,12 @@ dns_resolve_impl(edge_connection_t *exitconn, int is_resolve, * .in-addr.arpa address but this isn't a resolve request, kill the * connection. */ - if ((r = parse_inaddr_arpa_address(exitconn->_base.address, NULL)) != 0) { - if (r == 1) + if ((r = parse_inaddr_arpa_address(exitconn->_base.address, &in)) != 0) { + if (r == 1) { is_reverse = 1; + if (is_internal_IP(ntohl(in.s_addr), 0)) /* internal address */ + return -1; + } if (!is_reverse || !is_resolve) { if (!is_reverse) |