diff options
author | teor (Tim Wilson-Brown) <teor2345@gmail.com> | 2015-09-15 18:34:18 +1000 |
---|---|---|
committer | teor (Tim Wilson-Brown) <teor2345@gmail.com> | 2015-09-16 02:56:50 +1000 |
commit | 098b82c7b2a6bb711e3616eb5b7e7e5e7401f01d (patch) | |
tree | bc40d90c97de2a09a6c1e277ea3c5f2c455f8787 /src/common | |
parent | 31eb486c4624d1437d982ffdfc1f9d7d83c5ffd6 (diff) | |
download | tor-098b82c7b2a6bb711e3616eb5b7e7e5e7401f01d.tar.gz tor-098b82c7b2a6bb711e3616eb5b7e7e5e7401f01d.zip |
ExitPolicyRejectPrivate rejects local IPv6 address and interface addresses
ExitPolicyRejectPrivate now rejects more local addresses by default:
* the relay's published IPv6 address (if any), and
* any publicly routable IPv4 or IPv6 addresses on any local interfaces.
This resolves a security issue for IPv6 Exits and multihomed Exits that
trust connections originating from localhost.
Resolves ticket 17027. Patch by "teor".
Patch on 42b8fb5a1523 (11 Nov 2007), released in 0.2.0.11-alpha.
Diffstat (limited to 'src/common')
-rw-r--r-- | src/common/address.c | 43 |
1 files changed, 22 insertions, 21 deletions
diff --git a/src/common/address.c b/src/common/address.c index 0614256521..545865b5df 100644 --- a/src/common/address.c +++ b/src/common/address.c @@ -1605,33 +1605,33 @@ MOCK_IMPL(int, get_interface_address6,(int severity, sa_family_t family, tor_addr_t *addr)) { smartlist_t *addrs; + int rv = -1; tor_assert(addr); /* Get a list of public or internal IPs in arbitrary order */ - if ((addrs = get_interface_address6_list(severity, family, 1))) { - int rv = -1; - /* Find the first non-internal address, or the last internal address - * Ideally, we want the default route, see #12377 for details */ - SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, a) { - tor_addr_copy(addr, a); - rv = 0; - - /* If we found a non-internal address, declare success. Otherwise, - * keep looking. */ - if (!tor_addr_is_internal(a, 0)) - break; - } SMARTLIST_FOREACH_END(a); + addrs = get_interface_address6_list(severity, family, 1); - free_interface_address6_list(addrs); - return rv; - } + /* Find the first non-internal address, or the last internal address + * Ideally, we want the default route, see #12377 for details */ + SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, a) { + tor_addr_copy(addr, a); + rv = 0; - return -1; + /* If we found a non-internal address, declare success. Otherwise, + * keep looking. */ + if (!tor_addr_is_internal(a, 0)) + break; + } SMARTLIST_FOREACH_END(a); + + free_interface_address6_list(addrs); + return rv; } /** Free a smartlist of IP addresses returned by get_interface_address6_list. */ -void free_interface_address6_list(smartlist_t *addrs) { +void +free_interface_address6_list(smartlist_t *addrs) +{ SMARTLIST_FOREACH(addrs, tor_addr_t *, a, tor_free(a)); smartlist_free(addrs); } @@ -1654,8 +1654,9 @@ MOCK_IMPL(smartlist_t *,get_interface_address6_list,(int severity, /* Try to do this the smart way if possible. */ if ((addrs = get_interface_addresses_raw(severity))) { - SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, a) { - if (family != AF_UNSPEC && family != tor_addr_family(a)){ + SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, a) + { + if (family != AF_UNSPEC && family != tor_addr_family(a)) { SMARTLIST_DEL_CURRENT(addrs, a); tor_free(a); continue; @@ -1668,7 +1669,7 @@ MOCK_IMPL(smartlist_t *,get_interface_address6_list,(int severity, continue; } - if (!include_internal && tor_addr_is_internal(a, 0)){ + if (!include_internal && tor_addr_is_internal(a, 0)) { SMARTLIST_DEL_CURRENT(addrs, a); tor_free(a); continue; |