pf: when extracting an IPv6 address, make sure we got an IPv6 address

Our code assumes that when we're configured to get IPv6 addresses
out of a TRANS_PF transparent proxy connection, we actually will.
But we didn't check that, and so FreeBSD started warning us about a
potential NULL pointer dereference.

Fixes part of bug 31687; bugfix on 0.2.3.4-alpha when this code was
added.

diff --git a/changes/ticket31687_2 b/changes/ticket31687_2
new file mode 100644 (file)
index 0000000..eadc698
--- /dev/null
+++ b/changes/ticket31687_2
@@ -0,0 +1,5 @@
+  o Minor bugfixes (FreeBSD, PF-based proxy, IPv6):
+    - When extracting an IPv6 address from a PF-based proxy, verify
+      that we are actually configured to receive an IPv6 address,
+      and log an internal error if not. Fixes part of bug 31687;
+      bugfix on 0.2.3.4-alpha.

diff --git a/src/core/or/connection_edge.c b/src/core/or/connection_edge.c
index e4b3455d1330a0cb217f5f9a05c49bd7578f3b47..7cc67d7f5ec7393175cf62f9025940f47e17327d 100644 (file)
--- a/src/core/or/connection_edge.c
+++ b/src/core/or/connection_edge.c
@@ -2547,8 +2547,11 @@ destination_from_pf(entry_connection_t *conn, socks_request_t *req)
   } else if (proxy_sa->sa_family == AF_INET6) {
     struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)proxy_sa;
     pnl.af = AF_INET6;
-    memcpy(&pnl.saddr.v6, tor_addr_to_in6(&ENTRY_TO_CONN(conn)->addr),
-           sizeof(struct in6_addr));
+    const struct in6_addr *dest_in6 =
+      tor_addr_to_in6(&ENTRY_TO_CONN(conn)->addr);
+    if (BUG(!dest_in6))
+      return -1;
+    memcpy(&pnl.saddr.v6, dest_in6, sizeof(struct in6_addr));
     pnl.sport = htons(ENTRY_TO_CONN(conn)->port);
     memcpy(&pnl.daddr.v6, &sin6->sin6_addr, sizeof(struct in6_addr));
     pnl.dport = sin6->sin6_port;