summaryrefslogtreecommitdiff
path: root/src/or
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2010-01-20 12:36:14 -0500
committerNick Mathewson <nickm@torproject.org>2010-01-20 13:09:10 -0500
commitd4354b506be924853cae838881202b205b4d45f2 (patch)
tree6bb2302e91777f60580bcf57201b433e66a98f69 /src/or
parentc939509051f90d7276355783b255d4a15730efab (diff)
downloadtor-d4354b506be924853cae838881202b205b4d45f2.tar.gz
tor-d4354b506be924853cae838881202b205b4d45f2.zip
Don't use OutboundBindAddress to connect to localhost
The OutboundBindAddress option is useful for making sure that all of your outbond connections use a given interface. But when connecting to 127.0.0.1 (or ::1 even) it's important to actually have the connection come _from_ localhost, since lots of programs running on localhost use the source address to authenticate that the connection is really coming from the same host. Our old code always bound to OutboundBindAddress, whether connecting to localhost or not. This would potentially break DNS servers on localhost, and socks proxies on localhost. This patch changes the behavior so that we only look at OutboundBindAddress when connecting to a non-loopback address.
Diffstat (limited to 'src/or')
-rw-r--r--src/or/connection.c2
-rw-r--r--src/or/eventdns.c18
2 files changed, 18 insertions, 2 deletions
diff --git a/src/or/connection.c b/src/or/connection.c
index 6506cf81fd..eeb25c1828 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -1236,7 +1236,7 @@ connection_connect(connection_t *conn, const char *address,
return -1;
}
- if (options->OutboundBindAddress) {
+ if (options->OutboundBindAddress && !tor_addr_is_loopback(addr)) {
struct sockaddr_in ext_addr;
memset(&ext_addr, 0, sizeof(ext_addr));
diff --git a/src/or/eventdns.c b/src/or/eventdns.c
index 83bff671aa..a504224c54 100644
--- a/src/or/eventdns.c
+++ b/src/or/eventdns.c
@@ -2239,6 +2239,21 @@ evdns_resume(void)
}
static int
+sockaddr_is_loopback(const struct sockaddr *addr)
+{
+ static const char LOOPBACK_S6[16] =
+ "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1";
+ if (addr->sa_family == AF_INET) {
+ struct sockaddr_in *sin = (struct sockaddr_in *)addr;
+ return (ntohl(sin->sin_addr.s_addr) & 0xff000000) == 0x7f000000;
+ } else if (addr->sa_family == AF_INET6) {
+ struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)addr;
+ return !memcmp(sin6->sin6_addr.s6_addr, LOOPBACK_S6, 16);
+ }
+ return 0;
+}
+
+static int
_evdns_nameserver_add_impl(const struct sockaddr *address,
socklen_t addrlen) {
/* first check to see if we already have this nameserver */
@@ -2279,7 +2294,8 @@ _evdns_nameserver_add_impl(const struct sockaddr *address,
fcntl(ns->socket, F_SETFL, O_NONBLOCK);
#endif
- if (global_bind_addr_is_set) {
+ if (global_bind_addr_is_set &&
+ !sockaddr_is_loopback((struct sockaddr*)&global_bind_address)) {
if (bind(ns->socket, (struct sockaddr *)&global_bind_address,
global_bind_addrlen) < 0) {
log(EVDNS_LOG_DEBUG, "Couldn't bind to outgoing address.");