Opened 8 years ago

Closed 7 years ago

Last modified 7 years ago

#2822 closed defect (fixed)

fix for 2279 causes addresses mapped to private addresses to fail

Reported by: arma Owned by:
Priority: Medium Milestone: Tor: 0.2.3.x-final
Component: Core Tor/Tor Version: Tor: 0.2.2.23-alpha
Severity: Keywords: tor-client
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

As part of the fix to #2279 we committed 411ec3c0 which made tor refuse socks connections to private/local addresses if .exit isn't specified.

I just got this line in my tor log:
Mar 31 14:45:52.116 [Warning] Rejecting SOCKS request for anonymous connection to private address [scrubbed]

I believe it happened because some exit relay answered my pidgin's request for the aim server with 192.168.1.1 or the like, and then my Tor cached that address even though it would map requests to it in the future and then refuse them.

I guess that means we should either revert that part of 2279 or add a check when we're adding an addressmap.

Child Tickets

Change History (12)

comment:1 Changed 8 years ago by nickm

If that's the etiology, then we should indeed make it so we don't cache answers for private addresses. (I thought we already checked that.)

comment:2 Changed 8 years ago by Sebastian

I think nickm is right, we do seem to check that we don't cache private addresses in all cases where it matters, except in the case where we ask to resolve a private address directly (here we'd warn anyway). Isn't it more likely that you were accessing a resource that actually tried loading content from a private IP address? Trying to connect to "localhost" seems to confirm that.

This actually led me to discover two more issues: We don't ratelimit the log message, so a website that tries to include a lot of local content can easily spam your log. And if someone asks to resolve localhost, we ask a lot of exits before accepting that we don't get an answer we'll like.

comment:3 Changed 8 years ago by nickm

Rate-limiting the message is fine with me.

Not sure what the answer is for the "Localhost can't be 127.0.0.1! I won't believe your lies!" issue. We could special-case the name "localhost", or give up faster... should we? Is there anything else we could be doing?

As for arma's original report -- arma, do you still believe there is a bug here?

comment:4 Changed 8 years ago by Sebastian

I think we need to special-case localhost and .local and whatever else there might be that will always resolve to a private address.

comment:5 Changed 8 years ago by Sebastian

I think localhost and .local are the only two we need to be worried about.

But in fact we should make sure that exit nodes never try to resolve .local addresses, because that could leak interesting stuff about their local networks

comment:6 Changed 8 years ago by nickm

Sounds plausible. I think both fixes are right. So to summarize, let's:

  • Rate-limit the "Rejecting SOCKS request for anonymous connection to private address" message,
  • Special-case the names "localhost" and "foo.local" on the client side and on the server side in the same way that we currently special-case 127/8.

comment:7 in reply to:  3 Changed 8 years ago by arma

Replying to nickm:

As for arma's original report -- arma, do you still believe there is a bug here?

Not as much as I did originally.

I think pidgin is actually finding the IP address 192.168.1.1 somehow and trying to connect to it. I'm not sure if it's happening via a Tor connection or via some local (not even using Tor) lookup.

But I think it's more of a pidgin bug at this point.

(I think we could also move this bug to an 0.2.3.x milestone without any ill effects.)

comment:8 Changed 8 years ago by Sebastian

Milestone: Tor: 0.2.2.x-finalTor: 0.2.3.x-final

comment:9 Changed 7 years ago by nickm

Status: newneeds_review

I've got the rate-limiter in branch "bug2822." I also have the client-side of checking for localhost and .local.

For the "special-case localhost", what about ".localdomain" and "localhost." etc,etc? And where is this exit-side check supposed to be? I think that's handled by the code that checks for exit attempts to private addresses, and doesn't need a separate localhost check. Am I missing something?

comment:10 Changed 7 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

Merged this branch; opened a new ticket for tor_hostname_is_local as #5904

comment:11 Changed 7 years ago by nickm

Keywords: tor-client added

comment:12 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.