[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [torsocks/osx] Refuse connections to local network addresses.
commit f9626fe6c27a4a9aa9bb8feb1702aec38f78147b
Author: Robert Hogan <robert@xxxxxxxxxxxxxxx>
Date: Sat Feb 12 14:12:04 2011 +0000
Refuse connections to local network addresses.
If a DNS request is made to a DNS server on a local network over
TCP we need to reject it. So for now, reject all attempts to connect
to servers on the local network using torsocks. If torsocks is used
with programs that expect to use local network services - this will
probably break them. I'm not aware of any.
---
src/tsocks.c | 22 ++++++++++++++--------
1 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/src/tsocks.c b/src/tsocks.c
index 02e21fc..1287d9b 100644
--- a/src/tsocks.c
+++ b/src/tsocks.c
@@ -349,10 +349,23 @@ int tsocks_connect_guts(CONNECT_SIGNATURE, int (*original_connect)(CONNECT_SIGNA
show_msg(MSGDEBUG, "sockopt: %i \n", sock_type);
+ /* If the address is local refuse it. We do this because it could
+ be a TCP DNS request to a local DNS server.*/
+ if (!(is_local(&config, &(connaddr->sin_addr))) &&
+ !is_dead_address(pool, connaddr->sin_addr.s_addr)) {
+ char buf[16];
+ inet_ntop(AF_INET, &(connaddr->sin_addr), buf, sizeof(buf));
+ show_msg(MSGERR, "connect: Connection is to a local address (%s), may be a "
+ "TCP DNS request to a local DNS server so have to reject to be safe. "
+ "Please report a bug to http://code.google.com/p/torsocks/issues/entry if "
+ "this is preventing a program from working properly with torsocks.\n", buf);
+ return -1;
+ }
+
/* If this isn't an INET socket we can't */
/* handle it, just call the real connect now */
if ((connaddr->sin_family != AF_INET)) {
- show_msg(MSGDEBUG, "Connection isn't a TCP stream ignoring\n");
+ show_msg(MSGDEBUG, "connect: Connection isn't IPv4, ignoring\n");
return(original_connect(__fd, __addr, __len));
}
@@ -419,13 +432,6 @@ int tsocks_connect_guts(CONNECT_SIGNATURE, int (*original_connect)(CONNECT_SIGNA
show_msg(MSGDEBUG, "Got connection request for socket %d to "
"%s\n", __fd, inet_ntoa(connaddr->sin_addr));
- /* If the address is local call original_connect */
- if (!(is_local(&config, &(connaddr->sin_addr))) &&
- !is_dead_address(pool, connaddr->sin_addr.s_addr)) {
- show_msg(MSGDEBUG, "Connection for socket %d is local\n", __fd);
- return(original_connect(__fd, __addr, __len));
- }
-
/* Ok, so its not local, we need a path to the net */
pick_server(&config, &path, &(connaddr->sin_addr), ntohs(connaddr->sin_port));
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits