summaryrefslogtreecommitdiff
path: root/src/common
diff options
context:
space:
mode:
authorteor (Tim Wilson-Brown) <teor2345@gmail.com>2015-09-15 18:34:18 +1000
committerteor (Tim Wilson-Brown) <teor2345@gmail.com>2015-09-16 02:56:50 +1000
commit098b82c7b2a6bb711e3616eb5b7e7e5e7401f01d (patch)
treebc40d90c97de2a09a6c1e277ea3c5f2c455f8787 /src/common
parent31eb486c4624d1437d982ffdfc1f9d7d83c5ffd6 (diff)
downloadtor-098b82c7b2a6bb711e3616eb5b7e7e5e7401f01d.tar.gz
tor-098b82c7b2a6bb711e3616eb5b7e7e5e7401f01d.zip
ExitPolicyRejectPrivate rejects local IPv6 address and interface addresses
ExitPolicyRejectPrivate now rejects more local addresses by default: * the relay's published IPv6 address (if any), and * any publicly routable IPv4 or IPv6 addresses on any local interfaces. This resolves a security issue for IPv6 Exits and multihomed Exits that trust connections originating from localhost. Resolves ticket 17027. Patch by "teor". Patch on 42b8fb5a1523 (11 Nov 2007), released in 0.2.0.11-alpha.
Diffstat (limited to 'src/common')
-rw-r--r--src/common/address.c43
1 files changed, 22 insertions, 21 deletions
diff --git a/src/common/address.c b/src/common/address.c
index 0614256521..545865b5df 100644
--- a/src/common/address.c
+++ b/src/common/address.c
@@ -1605,33 +1605,33 @@ MOCK_IMPL(int,
get_interface_address6,(int severity, sa_family_t family, tor_addr_t *addr))
{
smartlist_t *addrs;
+ int rv = -1;
tor_assert(addr);
/* Get a list of public or internal IPs in arbitrary order */
- if ((addrs = get_interface_address6_list(severity, family, 1))) {
- int rv = -1;
- /* Find the first non-internal address, or the last internal address
- * Ideally, we want the default route, see #12377 for details */
- SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, a) {
- tor_addr_copy(addr, a);
- rv = 0;
-
- /* If we found a non-internal address, declare success. Otherwise,
- * keep looking. */
- if (!tor_addr_is_internal(a, 0))
- break;
- } SMARTLIST_FOREACH_END(a);
+ addrs = get_interface_address6_list(severity, family, 1);
- free_interface_address6_list(addrs);
- return rv;
- }
+ /* Find the first non-internal address, or the last internal address
+ * Ideally, we want the default route, see #12377 for details */
+ SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, a) {
+ tor_addr_copy(addr, a);
+ rv = 0;
- return -1;
+ /* If we found a non-internal address, declare success. Otherwise,
+ * keep looking. */
+ if (!tor_addr_is_internal(a, 0))
+ break;
+ } SMARTLIST_FOREACH_END(a);
+
+ free_interface_address6_list(addrs);
+ return rv;
}
/** Free a smartlist of IP addresses returned by get_interface_address6_list.
*/
-void free_interface_address6_list(smartlist_t *addrs) {
+void
+free_interface_address6_list(smartlist_t *addrs)
+{
SMARTLIST_FOREACH(addrs, tor_addr_t *, a, tor_free(a));
smartlist_free(addrs);
}
@@ -1654,8 +1654,9 @@ MOCK_IMPL(smartlist_t *,get_interface_address6_list,(int severity,
/* Try to do this the smart way if possible. */
if ((addrs = get_interface_addresses_raw(severity))) {
- SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, a) {
- if (family != AF_UNSPEC && family != tor_addr_family(a)){
+ SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, a)
+ {
+ if (family != AF_UNSPEC && family != tor_addr_family(a)) {
SMARTLIST_DEL_CURRENT(addrs, a);
tor_free(a);
continue;
@@ -1668,7 +1669,7 @@ MOCK_IMPL(smartlist_t *,get_interface_address6_list,(int severity,
continue;
}
- if (!include_internal && tor_addr_is_internal(a, 0)){
+ if (!include_internal && tor_addr_is_internal(a, 0)) {
SMARTLIST_DEL_CURRENT(addrs, a);
tor_free(a);
continue;