[tbb-bugs] #25036 [Core Tor/Tor]: Tor 0.3.2 rejects connections to raw ipv6 addresses

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Feb 5 20:32:24 UTC 2018

#25036: Tor 0.3.2 rejects connections to raw ipv6 addresses
 Reporter:  pastly                        |          Owner:  tbb-team
     Type:  defect                        |         Status:  new
 Priority:  High                          |      Milestone:  Tor:
                                          |  0.3.3.x-final
Component:  Core Tor/Tor                  |        Version:  Tor:
 Severity:  Normal                        |     Resolution:
 Keywords:  regression ipv6 032-backport  |  Actual Points:
Parent ID:                                |         Points:
 Reviewer:                                |        Sponsor:
Changes (by teor):

 * status:  needs_information => new


 Replying to [comment:12 dgoulet]:
 > Quick question on this. Are we sure this is not Tor Browser sending a
 SOCKS5 request with the type "fqdn" used with an IPv6 address?
 > That `string_is_valid_hostname()` check is done when we get an `atyp =
 0x03` in the SOCKS5 request which means tor should expect a FQDN thus
 returning the error here is fine. The IPv6 address is handled before.
 > Why is TB sending a fqdn request at all with this address:
 https://[2a00:1450:401b:800::200e]/ ?

 Technically, you are correct: Tor Browser should not send IP addresses as
 strings at all.
 But if it does, we should handle them sensibly.

 Here are the possible types:
 ATYP   address type of following address
              o  IP V4 address: X'01'
              o  DOMAINNAME: X'03'
              o  IP V6 address: X'04'
 See section 4 in https://tools.ietf.org/html/rfc1928

 Here are the specs for each type:
 In an address field (DST.ADDR, BND.ADDR), the ATYP field specifies
    the type of address contained within the field:

           o  X'01'

    the address is a version-4 IP address, with a length of 4 octets

           o  X'03'

    the address field contains a fully-qualified domain name.  The first
    octet of the address field contains the number of octets of name that
    follow, there is no terminating NUL octet.

           o  X'04'

    the address is a version-6 IP address, with a length of 16 octets.

 So IPv4 and IPv6 should be binary encoded. And all strings should be

 Tor Browser is obviously sending IPv4 and IPv6 addresses as text, in
 violation of the spec. Tor has always accepted IPv4 addresses as text, in
 violation of the spec. Therefore, we should accept IPv6 addresses as text,
 just like we did in 0.3.1. Because we can't break a feature like this.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25036#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list