[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r17870: {tor} Backport r17138: Fix the rest of bug 619: reject *:* servers (in tor/branches/tor-0_2_0-patches: . doc src/or)

Author: nickm
Date: 2009-01-03 22:03:50 -0500 (Sat, 03 Jan 2009)
New Revision: 17870

Modified:
   tor/branches/tor-0_2_0-patches/ChangeLog
   tor/branches/tor-0_2_0-patches/doc/TODO.020
   tor/branches/tor-0_2_0-patches/src/or/dns.c
Log:
Backport r17138: Fix the rest of bug 619: reject *:* servers should not do DNS lookups, even if broken clients send them RELAY_BEGIN cells.  Patch from rovv.

Modified: tor/branches/tor-0_2_0-patches/ChangeLog
===================================================================
--- tor/branches/tor-0_2_0-patches/ChangeLog	2009-01-04 03:03:45 UTC (rev 17869)
+++ tor/branches/tor-0_2_0-patches/ChangeLog	2009-01-04 03:03:50 UTC (rev 17870)
@@ -56,7 +56,11 @@
       prevent possible guess-the-streamid injection attacks from
       intermediate hops.  Fixes another case of bug 446. Based on patch
       from rovv.
+    - If a broken client asks a non-exit router to connect somewhere,
+      do not even do the DNS lookup before rejecting the connection.
+      Fixes another case of bug 619.  Patch from rovv.
 
+
   o Minor features:
     - Report the case where all signatures in a detached set are rejected
       differently than the case where there is an error handling the

Modified: tor/branches/tor-0_2_0-patches/doc/TODO.020
===================================================================
--- tor/branches/tor-0_2_0-patches/doc/TODO.020	2009-01-04 03:03:45 UTC (rev 17869)
+++ tor/branches/tor-0_2_0-patches/doc/TODO.020	2009-01-04 03:03:50 UTC (rev 17870)
@@ -17,7 +17,7 @@
     o See also r17181...
     o ... and r17184.
   o r17137: send END cell in response to connect to nonexistent hidserv port.
-  - r17138: reject *:* servers should never do DNS lookups.
+  o r17138: reject *:* servers should never do DNS lookups.
   o r17139: Fix another case of overriding .exit choices.
   o r17162 and r17164: fix another case of not checking cpath_layer.
   - r17208,r17209,r7211,r17212,r17214: Avoid gotterdammerung when an

Modified: tor/branches/tor-0_2_0-patches/src/or/dns.c
===================================================================
--- tor/branches/tor-0_2_0-patches/src/or/dns.c	2009-01-04 03:03:45 UTC (rev 17869)
+++ tor/branches/tor-0_2_0-patches/src/or/dns.c	2009-01-04 03:03:50 UTC (rev 17870)
@@ -563,14 +563,10 @@
   or_circuit_t *oncirc = TO_OR_CIRCUIT(exitconn->on_circuit);
   int is_resolve, r;
   char *hostname = NULL;
-  routerinfo_t *me = router_get_my_routerinfo();
   is_resolve = exitconn->_base.purpose == EXIT_PURPOSE_RESOLVE;
 
-  if (is_resolve && me &&
-      policy_is_reject_star(me->exit_policy)) /* non-exit */
-    r = -1;
-  else
-    r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname);
+  r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname);
+
   switch (r) {
     case 1:
       /* We got an answer without a lookup -- either the answer was
@@ -645,6 +641,7 @@
   cached_resolve_t *resolve;
   cached_resolve_t search;
   pending_connection_t *pending_connection;
+  routerinfo_t *me;
   struct in_addr in;
   time_t now = time(NULL);
   uint8_t is_reverse = 0;
@@ -661,6 +658,11 @@
     exitconn->address_ttl = DEFAULT_DNS_TTL;
     return 1;
   }
+  /* If we're a non-exit, don't even do DNS lookups. */
+  if (!(me = router_get_my_routerinfo()) ||
+      policy_is_reject_star(me->exit_policy)) {
+    return -1;
+  }
   if (address_is_invalid_destination(exitconn->_base.address, 0)) {
     log(LOG_PROTOCOL_WARN, LD_EXIT,
         "Rejecting invalid destination address %s",