[tor-commits] [torsocks/osx] Refuse connections to local network addresses.

Sun Oct 23 18:27:14 UTC 2011

commit f9626fe6c27a4a9aa9bb8feb1702aec38f78147b
Author: Robert Hogan <robert at roberthogan.net>
Date:   Sat Feb 12 14:12:04 2011 +0000

    Refuse connections to local network addresses.
    
    If a DNS request is made to a DNS server on a local network over
    TCP we need to reject it. So for now, reject all attempts to connect
    to servers on the local network using torsocks. If torsocks is used
    with programs that expect to use local network services - this will
    probably break them. I'm not aware of any.
---
 src/tsocks.c |   22 ++++++++++++++--------
 1 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/tsocks.c b/src/tsocks.c
index 02e21fc..1287d9b 100644
--- a/src/tsocks.c
+++ b/src/tsocks.c
@@ -349,10 +349,23 @@ int tsocks_connect_guts(CONNECT_SIGNATURE, int (*original_connect)(CONNECT_SIGNA
 
     show_msg(MSGDEBUG, "sockopt: %i \n", sock_type);
 
+    /* If the address is local refuse it. We do this because it could
+       be a TCP DNS request to a local DNS server.*/
+    if (!(is_local(&config, &(connaddr->sin_addr))) &&
+        !is_dead_address(pool, connaddr->sin_addr.s_addr)) {
+        char buf[16];
+        inet_ntop(AF_INET, &(connaddr->sin_addr), buf, sizeof(buf));
+        show_msg(MSGERR, "connect: Connection is to a local address (%s), may be a "
+                         "TCP DNS request to a local DNS server so have to reject to be safe. "
+                         "Please report a bug to http://code.google.com/p/torsocks/issues/entry if "
+                         "this is preventing a program from working properly with torsocks.\n", buf);
+        return -1;
+    }
+
     /* If this isn't an INET socket we can't  */
     /* handle it, just call the real connect now        */
     if ((connaddr->sin_family != AF_INET)) {
-        show_msg(MSGDEBUG, "Connection isn't a TCP stream ignoring\n");
+        show_msg(MSGDEBUG, "connect: Connection isn't IPv4, ignoring\n");
         return(original_connect(__fd, __addr, __len));
     }
 
@@ -419,13 +432,6 @@ int tsocks_connect_guts(CONNECT_SIGNATURE, int (*original_connect)(CONNECT_SIGNA
     show_msg(MSGDEBUG, "Got connection request for socket %d to "
                         "%s\n", __fd, inet_ntoa(connaddr->sin_addr));
 
-    /* If the address is local call original_connect */
-    if (!(is_local(&config, &(connaddr->sin_addr))) &&
-        !is_dead_address(pool, connaddr->sin_addr.s_addr)) {
-        show_msg(MSGDEBUG, "Connection for socket %d is local\n", __fd);
-        return(original_connect(__fd, __addr, __len));
-    }
-
     /* Ok, so its not local, we need a path to the net */
     pick_server(&config, &path, &(connaddr->sin_addr), ntohs(connaddr->sin_port));
 



