diff options
| -rw-r--r-- | src/or/connection.c | 5 | ||||
| -rw-r--r-- | src/or/connection_edge.c | 17 | ||||
| -rw-r--r-- | src/or/or.h | 2 |
3 files changed, 19 insertions, 5 deletions
diff --git a/src/or/connection.c b/src/or/connection.c index 49576eba3..e868a43bf 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -429,6 +429,11 @@ static int connection_init_accepted_conn(connection_t *conn) { case CONN_TYPE_OR: return connection_tls_start_handshake(conn, 1); case CONN_TYPE_AP: + /* check sockspolicy to see if we should accept it */ + if(socks_policy_permits_address(conn->addr) == 0) { + log_fn(LOG_WARN,"Denying socks connection from untrusted address %s.", conn->address); + return -1; + } conn->state = AP_CONN_STATE_SOCKS_WAIT; break; case CONN_TYPE_DIR: diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 8de0d6d9b..82e28e409 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -17,7 +17,6 @@ static struct exit_policy_t *socks_policy = NULL; static int connection_ap_handshake_process_socks(connection_t *conn); static void parse_socks_policy(void); -static int socks_policy_permits_address(uint32_t addr); /** Handle new bytes on conn->inbuf, or notification of eof. * @@ -785,6 +784,12 @@ int connection_ap_can_use_exit(connection_t *conn, routerinfo_t *exit) conn->socks_request->port, exit->exit_policy); } +/** A helper function for socks_policy_permits_address() below. + * + * Parse options.SocksPolicy in the same way that the exit policy + * is parsed, and put the processed version in &socks_policy. + * Ignore port specifiers. + */ static void parse_socks_policy(void) { struct exit_policy_t *n; @@ -800,6 +805,9 @@ static void parse_socks_policy(void) } } +/** Return 1 if <b>addr</b> is permitted to connect to our socks port, + * based on <b>socks_policy</b>. Else return 0. + */ int socks_policy_permits_address(uint32_t addr) { int a; @@ -811,10 +819,9 @@ int socks_policy_permits_address(uint32_t addr) return 0; else if (a==0) return 1; - else if (a==1) { - log_fn(LOG_WARN, "Got unexpected 'maybe' answer from socks policy"); - return 1; - } + tor_assert(a==1); + log_fn(LOG_WARN, "Got unexpected 'maybe' answer from socks policy"); + return 0; } /* ***** Client DNS code ***** */ diff --git a/src/or/or.h b/src/or/or.h index db1f58173..149c197d5 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1044,6 +1044,8 @@ int connection_ap_can_use_exit(connection_t *conn, routerinfo_t *exit); void connection_ap_expire_beginning(void); void connection_ap_attach_pending(void); +int socks_policy_permits_address(uint32_t addr); + void client_dns_init(void); uint32_t client_dns_lookup_entry(const char *address); int client_dns_incr_failures(const char *address); |