Disable extending to private/internal addresses by default

This is important, since otherwise an attacker can use timing info to probe the internal network. Also, add an option (ExtendAllowPrivateAddresses) so that TestingTorNetwork won't break. Fix for bug 6710; bugfix on all released versions of Tor.
author: Nick Mathewson <nickm@torproject.org> 2012-08-27 11:16:44 -0400
committer: Nick Mathewson <nickm@torproject.org> 2012-08-27 11:19:29 -0400
commit: b7c172c9ec762363562220a354feefc521970d7c (patch)
tree: d4262db650b35abda2600b0fa284a7133882861f /src/or/circuitbuild.c
parent: ce4add498f6af197a0e856d262825d547f898305 (diff)
download: tor-b7c172c9ec762363562220a354feefc521970d7c.tar.gz
tor-b7c172c9ec762363562220a354feefc521970d7c.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index 39a223b2f4..f11bebf7c9 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -2432,6 +2432,13 @@ circuit_extend(cell_t *cell, circuit_t *circ)
     return -1;
   }
 
+  if (tor_addr_is_internal(&n_addr, 0) &&
+      !get_options()->ExtendAllowPrivateAddresses) {
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+           "Client asked me to extend to a private address");
+    return -1;
+  }
+
   /* Check if they asked us for 0000..0000. We support using
    * an empty fingerprint for the first hop (e.g. for a bridge relay),
    * but we don't want to let people send us extend cells for empty
author	Nick Mathewson <nickm@torproject.org>	2012-08-27 11:16:44 -0400
committer	Nick Mathewson <nickm@torproject.org>	2012-08-27 11:19:29 -0400
commit	b7c172c9ec762363562220a354feefc521970d7c (patch)
tree	d4262db650b35abda2600b0fa284a7133882861f /src/or/circuitbuild.c
parent	ce4add498f6af197a0e856d262825d547f898305 (diff)
download	tor-b7c172c9ec762363562220a354feefc521970d7c.tar.gz tor-b7c172c9ec762363562220a354feefc521970d7c.zip