Changeset e3e15850


Ignore:
Timestamp:
Aug 23, 2012 7:10:36 PM (7 years ago)
Author:
zzz <zzz@…>
Branches:
master
Children:
5ffefd2
Parents:
54b367b
Message:
  • SSU:
    • Don't relay or introduce to/from privileged ports
    • Various spoof detections
Location:
router/java/src/net/i2p/router/transport/udp
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • router/java/src/net/i2p/router/transport/udp/EstablishmentManager.java

    r54b367b re3e15850  
    44import java.net.UnknownHostException;
    55import java.util.ArrayList;
     6import java.util.Arrays;
    67import java.util.Iterator;
    78import java.util.List;
     
    242243            maybeTo = new RemoteHostId(remAddr.getAddress(), port);
    243244
    244             if (!_transport.isValid(maybeTo.getIP())) {
     245            if ((!_transport.isValid(maybeTo.getIP())) ||
     246                Arrays.equals(maybeTo.getIP(), _transport.getExternalIP())) {
    245247                _transport.failed(msg, "Remote peer's IP isn't valid");
    246248                _transport.markUnreachable(toHash);
     
    450452            // count as connections, we have to keep the connection to this peer up longer if
    451453            // we are offering introductions.
     454            // Don't offer to relay to privileged ports.
    452455            if ((!_context.router().isHidden()) && (!_transport.introducersRequired()) && _transport.haveCapacity() &&
     456                state.getSentPort() >= 1024 &&
    453457                !((FloodfillNetworkDatabaseFacade)_context.netDb()).floodfillEnabled()) {
    454458                // ensure > 0
    455459                long tag = 1 + _context.random().nextLong(MAX_TAG_VALUE);
    456460                state.setSentRelayTag(tag);
    457                 if (_log.shouldLog(Log.INFO))
    458                     _log.info("Received NEW session request from " + from + ", sending relay tag " + tag);
    459461            } else {
    460462                // we got an IB even though we were firewalled, hidden, not high cap, etc.
    461                 if (_log.shouldLog(Log.INFO))
    462                     _log.info("Received session request, but our status is " + _transport.getReachabilityStatus());
    463             }
     463            }
     464            if (_log.shouldLog(Log.INFO))
     465                _log.info("Received NEW session request " + state);
    464466        } else {
    465467            if (_log.shouldLog(Log.DEBUG))
     
    901903            if (!_transport.isValid(ip))
    902904                throw new UnknownHostException("non-public IP");
    903             if (port <= 0 || port > 65535)
     905            // let's not relay to a privileged port, sounds like trouble
     906            if (port < 1024 || port > 65535)
    904907                throw new UnknownHostException("bad port " + port);
     908            if (Arrays.equals(ip, _transport.getExternalIP()))
     909                throw new UnknownHostException("relay myself");
    905910            addr = InetAddress.getByAddress(ip);
    906911        } catch (UnknownHostException uhe) {
    907912            if (_log.shouldLog(Log.WARN))
    908913                _log.warn("Introducer for " + state + " (" + bob + ") sent us an invalid address for our target: " + Addresses.toString(ip, port), uhe);
    909             // these two cause this peer to requeue for a new intro peer
    910             // FIXME no it doesn't, we send to all at once
    911             //state.introductionFailed();
    912             //notifyActivity();
     914            // TODO either put the nonce back in liveintroductions, or fail
    913915            return;
    914916        }
  • router/java/src/net/i2p/router/transport/udp/IntroductionManager.java

    r54b367b re3e15850  
    44import java.net.UnknownHostException;
    55import java.util.ArrayList;
     6import java.util.Arrays;
    67import java.util.HashSet;
    78import java.util.List;
     
    7374    public void add(PeerState peer) {
    7475        if (peer == null) return;
     76        // let's not use an introducer on a privileged port, sounds like trouble
     77        if (peer.getRemotePort() < 1024)
     78            return;
    7579        if (_log.shouldLog(Log.DEBUG))
    7680            _log.debug("Adding peer " + peer.getRemoteHostId() + ", weRelayToThemAs "
     
    157161            byte[] ip = cur.getRemoteIP();
    158162            int port = cur.getRemotePort();
    159             if (ip == null || !TransportImpl.isPubliclyRoutable(ip) || port <= 0 || port > 65535)
     163            if (ip == null || !TransportImpl.isPubliclyRoutable(ip) || port < 1024 || port > 65535)
    160164                continue;
    161165            if (_log.shouldLog(Log.INFO))
     
    234238            if (!_transport.isValid(ip))
    235239                throw new UnknownHostException("non-public IP");
    236             if (port <= 0 || port > 65535)
     240            // let's not punch to a privileged port, sounds like trouble
     241            if (port < 1024 || port > 65535)
    237242                throw new UnknownHostException("bad port " + port);
     243            if (Arrays.equals(ip, _transport.getExternalIP()))
     244                throw new UnknownHostException("punch myself");
    238245            to = InetAddress.getByAddress(ip);
    239246        } catch (UnknownHostException uhe) {
  • router/java/src/net/i2p/router/transport/udp/PacketBuilder.java

    r54b367b re3e15850  
    10671067            byte ikey[] = addr.getIntroducerKey(i);
    10681068            long tag = addr.getIntroducerTag(i);
    1069             if ( (ikey == null) || (iport <= 0) || (iaddr == null) || (tag <= 0) ) {
     1069            // let's not use an introducer on a privileged port, sounds like trouble
     1070            if (ikey == null || iport < 1024 || iport > 65535 ||
     1071                iaddr == null || tag <= 0 ||
     1072                (!_transport.isValid(iaddr.getAddress())) ||
     1073                Arrays.equals(iaddr.getAddress(), _transport.getExternalIP())) {
    10701074                if (_log.shouldLog(_log.WARN))
    10711075                    _log.warn("Cannot build a relay request to " + state.getRemoteIdentity().calculateHash()
    10721076                               + ", as their UDP address is invalid: addr=" + addr + " index=" + i);
     1077                // TODO implement some sort of introducer shitlist
    10731078                continue;
    10741079            }
    1075             // TODO implement some sort of introducer shitlist
    1076             if (transport.isValid(iaddr.getAddress()))
    1077                 rv.add(buildRelayRequest(iaddr, iport, ikey, tag, ourIntroKey, state.getIntroNonce(), true));
     1080            rv.add(buildRelayRequest(iaddr, iport, ikey, tag, ourIntroKey, state.getIntroNonce(), true));
    10781081        }
    10791082        return rv;
  • router/java/src/net/i2p/router/transport/udp/UDPReceiver.java

    r54b367b re3e15850  
    33import java.io.IOException;
    44import java.net.DatagramSocket;
     5import java.util.Arrays;
    56import java.util.concurrent.BlockingQueue;
    67import java.util.concurrent.LinkedBlockingQueue;
     
    165166                _log.info("Ignoring packet from the drop-listed peer: " + from);
    166167            _context.statManager().addRateData("udp.ignorePacketFromDroplist", packet.getLifetime(), 0);
     168            packet.release();
     169            return 0;
     170        }
     171
     172        // drop anything apparently from our IP (any port)
     173        if (Arrays.equals(from.getIP(), _transport.getExternalIP())) {
     174            if (_log.shouldLog(Log.WARN))
     175                _log.warn("Dropping (spoofed?) packet from ourselves");
    167176            packet.release();
    168177            return 0;
  • router/java/src/net/i2p/router/transport/udp/UDPTransport.java

    r54b367b re3e15850  
    77import java.text.DecimalFormat;
    88import java.util.ArrayList;
     9import java.util.Arrays;
    910import java.util.Collections;
    1011import java.util.Comparator;
     
    406407    public InetAddress getLocalAddress() { return _externalListenHost; }
    407408    public int getExternalPort() { return _externalListenPort; }
     409
     410    /**
     411     *  @return IP or null
     412     *  @since 0.9.2
     413     */
     414    byte[] getExternalIP() {
     415       InetAddress ia = _externalListenHost;
     416       if (ia == null)
     417           return null;
     418       return ia.getAddress();
     419    }
    408420
    409421    /**
     
    11841196                return null;
    11851197            }
     1198
    11861199            UDPAddress ua = new UDPAddress(addr);
    1187             if (ua == null) {
    1188                 markUnreachable(to);
    1189                 return null;
    1190             }
    11911200            if (ua.getIntroducerCount() <= 0) {
    11921201                InetAddress ia = ua.getHostAddress();
    1193                 if (ua.getPort() <= 0 || ia == null || !isValid(ia.getAddress())) {
     1202                if (ua.getPort() <= 0 || ia == null || !isValid(ia.getAddress()) ||
     1203                    Arrays.equals(ia.getAddress(), getExternalIP())) {
    11941204                    markUnreachable(to);
    11951205                    return null;
Note: See TracChangeset for help on using the changeset viewer.