Merge remote-tracking branch 'teor/first-hop-no-private'

changes/first-hop-no-private

@@ -0,0 +1,8 @@
+  o Minor bugfix (relays, hidden services):
+    - Refuse connection requests to private OR addresses unless
+      ExtendAllowPrivateAddresses is set. Previously, tor would
+      connect, then refuse to send any cells to a private address.
+      Fixes bugs 17674 and 8976; bugfix on b7c172c9ec76 (28 Aug 2012)
+      Original bug 6710, released in 0.2.3.21-rc and an 0.2.2 maint
+      release.
+      Patch by "teor".

doc/tor.1.txt

@@ -1898,9 +1898,11 @@ is non-zero):
     (Default: 1)
 
 [[ExtendAllowPrivateAddresses]] **ExtendAllowPrivateAddresses** **0**|**1**::
-    When this option is enabled, Tor routers allow EXTEND request to
-    localhost, RFC1918 addresses, and so on. This can create security issues;
-    you should probably leave it off. (Default: 0)
+    When this option is enabled, Tor will connect to localhost, RFC1918
+    addresses, and so on. In particular, Tor will make direct connections, and
+    Tor routers allow EXTEND requests, to these private addresses. This can
+    create security issues; you should probably leave it off.
+    (Default: 0)
 
 [[MaxMemInQueues]] **MaxMemInQueues**  __N__ **bytes**|**KB**|**MB**|**GB**::
     This option configures a threshold above which Tor will assume that it

src/or/circuitbuild.c

@@ -498,6 +498,14 @@ circuit_handle_first_hop(origin_circuit_t *circ)
   tor_assert(firsthop);
   tor_assert(firsthop->extend_info);
 
+  /* XX/teor - does tor ever need build a circuit directly to itself? */
+  if (tor_addr_is_internal(&firsthop->extend_info->addr, 0) &&
+      !get_options()->ExtendAllowPrivateAddresses) {
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+           "Client asked me to connect directly to a private address");
+    return -END_CIRC_REASON_TORPROTOCOL;
+  }
+
   /* now see if we're already connected to the first OR in 'route' */
   log_debug(LD_CIRC,"Looking for firsthop '%s'",
             fmt_addrport(&firsthop->extend_info->addr,