Merge remote-tracking branch 'rl1987/bug22461'

changes/bug22461

@@ -0,0 +1,5 @@
+  o Minor bugfixes:
+    - Refrain from needlessly rejecting SOCKS5 requests that contain
+      IP address strings when SafeSocks in enabled as this prevents
+      user from connecting to IP address they know without relying on
+      DNS for resolving.  Fixes bug 22461, bugfix on Tor 0.2.6.2-alpha.

src/or/buffers.c

@@ -1684,15 +1684,7 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req,
           req->port = ntohs(get_uint16(data+5+len));
           *drain_out = 5+len+2;
 
-          if (string_is_valid_ipv4_address(req->address) ||
-              string_is_valid_ipv6_address(req->address)) {
-            log_unsafe_socks_warning(5,req->address,req->port,safe_socks);
-
-            if (safe_socks) {
-              socks_request_set_socks5_error(req, SOCKS5_NOT_ALLOWED);
-              return -1;
-            }
-          } else if (!string_is_valid_hostname(req->address)) {
+          if (!string_is_valid_hostname(req->address)) {
             socks_request_set_socks5_error(req, SOCKS5_GENERAL_ERROR);
 
             log_warn(LD_PROTOCOL,
@@ -1814,7 +1806,7 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req,
       log_debug(LD_APP,"socks4: Everything is here. Success.");
       strlcpy(req->address, startaddr ? startaddr : tmpbuf,
               sizeof(req->address));
-      if (!tor_strisprint(req->address) || strchr(req->address,'\"')) {
+      if (!string_is_valid_hostname(req->address)) {
         log_warn(LD_PROTOCOL,
                  "Your application (using socks4 to port %d) gave Tor "
                  "a malformed hostname: %s. Rejecting the connection.",

src/test/test_socks.c

@@ -229,25 +229,24 @@ test_socks_5_supported_commands(void *ptr)
   tt_int_op(0,OP_EQ, buf_datalen(buf));
   socks_request_clear(socks);
 
-  /* SOCKS 5 Should reject RESOLVE [F0] request for IPv4 address
+  /* SOCKS 5 Should NOT reject RESOLVE [F0] request for IPv4 address
    * string if SafeSocks is enabled. */
 
   ADD_DATA(buf, "\x05\x01\x00");
   ADD_DATA(buf, "\x05\xF0\x00\x03\x07");
   ADD_DATA(buf, "8.8.8.8");
-  ADD_DATA(buf, "\x01\x02");
+  ADD_DATA(buf, "\x11\x11");
   tt_assert(fetch_from_buf_socks(buf,socks,get_options()->TestSocks,1)
-            == -1);
+            == 1);
 
-  tt_int_op(5,OP_EQ,socks->socks_version);
-  tt_int_op(10,OP_EQ,socks->replylen);
-  tt_int_op(5,OP_EQ,socks->reply[0]);
-  tt_int_op(SOCKS5_NOT_ALLOWED,OP_EQ,socks->reply[1]);
-  tt_int_op(1,OP_EQ,socks->reply[3]);
+  tt_str_op("8.8.8.8", OP_EQ, socks->address);
+  tt_int_op(4369, OP_EQ, socks->port);
+  
+  tt_int_op(0, OP_EQ, buf_datalen(buf));
 
   socks_request_clear(socks);
 
-  /* SOCKS 5 should reject RESOLVE [F0] reject for IPv6 address
+  /* SOCKS 5 should NOT reject RESOLVE [F0] reject for IPv6 address
    * string if SafeSocks is enabled. */
 
   ADD_DATA(buf, "\x05\x01\x00");
@@ -257,11 +256,10 @@ test_socks_5_supported_commands(void *ptr)
   tt_assert(fetch_from_buf_socks(buf,socks,get_options()->TestSocks,1)
             == -1);
 
-  tt_int_op(5,OP_EQ,socks->socks_version);
-  tt_int_op(10,OP_EQ,socks->replylen);
-  tt_int_op(5,OP_EQ,socks->reply[0]);
-  tt_int_op(SOCKS5_NOT_ALLOWED,OP_EQ,socks->reply[1]);
-  tt_int_op(1,OP_EQ,socks->reply[3]);
+  tt_str_op("2001:0db8:85a3:0000:0000:8a2e:0370:7334", OP_EQ, socks->address);
+  tt_int_op(258, OP_EQ, socks->port);
+
+  tt_int_op(0, OP_EQ, buf_datalen(buf));
 
   socks_request_clear(socks);