Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

r15273@tombo: nickm | 2008-04-22 12:32:28 -0400
apply patch from lodger: reject requests for reverse-dns lookup of names in private address space. make non-exits reject all dns requests. Fixes bug 619.


svn:r14410

Nick Mathewson 17 years ago
parent
6e979489dc
commit
ef9c34688c
2 changed files with 19 additions and 4 deletions
Split View Show Diff Stats
  1. 8 1
      ChangeLog
  2. 11 3
      src/or/dns.c

+ 8 - 1
ChangeLog
View File 

@@ -29,6 +29,8 @@ Changes in version 0.2.1.1-alpha - 2008-??-??
 
       nwf, bugfix on 0.2.0.16-alpha.
 
     - Warn less verbosely about clock skew from netinfo cells from
 
       untrusted sources.  Fixes bug 663.
 
+    - Non-exit relays no longer allow DNS requests.  Fixes bug 619.
 
+      Patch from Lodger.
 
 
   o Minor features:
 
     - Allow separate log levels to be configured for different logging
 
@@ -61,7 +63,12 @@ Changes in version 0.2.1.1-alpha - 2008-??-??
 
       descriptors we need to keep around when we're cleaning out old
 
       router descriptors.  This speeds up the computation significantly, and
 
       may reduce fragmentation.
 
-    - Make dumpstats() log the fullness and size of openssl-internal buffers.
 
+    - Make dumpstats() log the fullness and size of openssl-internal
 
+      buffers.
 
+
 
+  o Minor features (security):
 
+    - Reject requests for reverse-dns lookup of names in a private
 
+      address space.  Patch from Lodger.
 
 
   o Code simplifications and refactoring:
 
     - Refactor code using connection_ap_handshake_attach_circuit() to

+ 11 - 3
src/or/dns.c
View File 

@@ -549,9 +549,14 @@ dns_resolve(edge_connection_t *exitconn)
 
   or_circuit_t *oncirc = TO_OR_CIRCUIT(exitconn->on_circuit);
 
   int is_resolve, r;
 
   char *hostname = NULL;
 
+  routerinfo_t *me = router_get_my_routerinfo();
 
   is_resolve = exitconn->_base.purpose == EXIT_PURPOSE_RESOLVE;
 
 
-  r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname);
 
+  if (is_resolve && me &&
 
+      policy_is_reject_star(me->exit_policy)) /* non-exit */
 
+    r = -1;
 
+  else
 
+    r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname);
 
   switch (r) {
 
     case 1:
 
       /* We got an answer without a lookup -- either the answer was
 
@@ -660,9 +665,12 @@ dns_resolve_impl(edge_connection_t *exitconn, int is_resolve,
 
    * .in-addr.arpa address but this isn't a resolve request, kill the
 
    * connection.
 
    */
 
-  if ((r = parse_inaddr_arpa_address(exitconn->_base.address, NULL)) != 0) {
 
-    if (r == 1)
 
+  if ((r = parse_inaddr_arpa_address(exitconn->_base.address, &in)) != 0) {
 
+    if (r == 1) {
 
       is_reverse = 1;
 
+         if (is_internal_IP(ntohl(in.s_addr), 0)) /* internal address */
 
+           return -1;
 
+    }
 
 
     if (!is_reverse || !is_resolve) {
 
       if (!is_reverse)