r14227@Kushana: nickm | 2007-08-27 11:33:28 -0400

 Add a new ClientDNSRejectInternalAddresses option (default: on) to refuse to believe that any address can map to or from an internal address.  This blocks some kinds of potential browser-based attacks, especially on hosts using DNSPort.  Also clarify behavior in some comments.  Backport candiate?


svn:r11287

1 files changed, 13 insertions, 0 deletions

diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c
index 77a95f6764..f4431bacf2 100644
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -1247,6 +1247,19 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
                                  END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED);
       return 0;
     }
+    if (options->ClientDNSRejectInternalAddresses) {
+      /* Don't let people try to do a reverse lookup on 10.0.0.1. */
+      tor_addr_t addr;
+      if (tor_addr_from_str(&addr, socks->address) >= 0 &&
+          tor_addr_is_internal(&addr, 0)) {
+        connection_ap_handshake_socks_resolved(conn, RESOLVED_TYPE_ERROR,
+                                               0, NULL, -1, TIME_MAX);
+        connection_mark_unattached_ap(conn,
+                                 END_STREAM_REASON_SOCKSPROTOCOL |
+                                 END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED);
+        return -1;
+      }
+    }
   } else if (!automap) {
     /* For address map controls, remap the address. */
     if (addressmap_rewrite(socks->address, sizeof(socks->address),