[tor-commits] [torsocks/master] Fix: check if address is local after onion lookup

dgoulet at torproject.org dgoulet at torproject.org
Fri Apr 4 22:40:27 UTC 2014 

commit 8068776cafdf42fbc1cd5c8d4751c657ddbb33ed
Author: David Goulet <dgoulet at ev0ke.net>
Date:   Thu Nov 7 21:26:12 2013 -0500

    Fix: check if address is local after onion lookup
    
    Make the .onion address lookup before we check if the address is local
    (in the loopback network range). By default, onion cookies are in that
    range (127.42.42.x).
    
    Signed-off-by: David Goulet <dgoulet at ev0ke.net>
---
 src/lib/connect.c |   24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/src/lib/connect.c b/src/lib/connect.c
index ab2e082..bdc9e6f 100644
--- a/src/lib/connect.c
+++ b/src/lib/connect.c
@@ -71,16 +71,6 @@ LIBC_CONNECT_RET_TYPE tsocks_connect(LIBC_CONNECT_SIG)
 
 	inet_addr = (struct sockaddr_in *) __addr;
 
-	/* Check if address is local IPv4. */
-	if (__addr->sa_family == AF_INET &&
-			utils_is_ipv4_local(inet_addr->sin_addr.s_addr)) {
-		WARN("[connect] Connection to a local address are denied since it "
-				"might be a TCP DNS query to a local DNS server. "
-				"Rejecting it for safety reasons.");
-		errno = EPERM;
-		goto error;
-	}
-
 	/*
 	 * Lock registry to get the connection reference if one. In this code path,
 	 * if a connection object is found, it will not be used since a double
@@ -104,7 +94,6 @@ LIBC_CONNECT_RET_TYPE tsocks_connect(LIBC_CONNECT_SIG)
 	on_entry = onion_entry_find_by_ip(inet_addr->sin_addr.s_addr,
 			&tsocks_onion_pool);
 	onion_pool_unlock(&tsocks_onion_pool);
-
 	if (on_entry) {
 		/*
 		 * Create a connection without a destination address since we will set
@@ -119,6 +108,19 @@ LIBC_CONNECT_RET_TYPE tsocks_connect(LIBC_CONNECT_SIG)
 		new_conn->dest_addr.hostname.addr = strdup(on_entry->hostname);
 		new_conn->dest_addr.hostname.port = inet_addr->sin_port;
 	} else {
+		/*
+		 * Check if address is local IPv4. At this point, we are sure it's not
+		 * a .onion cookie address that is by default in the loopback network.
+		 */
+		if (__addr->sa_family == AF_INET &&
+				utils_is_ipv4_local(inet_addr->sin_addr.s_addr)) {
+			WARN("[connect] Connection to a local address are denied since it "
+					"might be a TCP DNS query to a local DNS server. "
+					"Rejecting it for safety reasons.");
+			errno = EPERM;
+			goto error;
+		}
+
 		new_conn = connection_create(__sockfd, __addr);
 		if (!new_conn) {
 			errno = ENOMEM;

More information about the tor-commits mailing list