diff --git a/changes/bug6710 b/changes/bug6710
new file mode 100644
index 0000000000000000000000000000000000000000..69a3c7ef4021cc718f7b46908008a5833019919f
--- /dev/null
+++ b/changes/bug6710
@@ -0,0 +1,7 @@
+ o Major bugfixes (security):
+ - Reject any attempt to extend to an internal address. Without
+ this fix, a router could be used to probe addresses on an
+ internal network to see whether they were accepting
+ connections. Fix for bug 6710; bugfix on all released versions
+ of Tor.
+
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index e7ba8485c0f3401744a08ef5ad54f45a7f3cb80c..7e0751b2b25824fea7527dc236136bdfccea425b 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -1470,6 +1470,11 @@ is non-zero):
its extra-info documents that it uploads to the directory authorities.
(Default: 1)
+**ExtendAllowPrivateAddresses** **0**|**1**::
+ When this option is enabled, Tor routers allow EXTEND request to
+ localhost, RFC1918 addresses, and so on. This can create security issues;
+ you should probably leave it off. (Default: 0)
+
DIRECTORY SERVER OPTIONS
------------------------
@@ -1795,6 +1800,7 @@ The following options are used for running a testing Tor network.
ClientRejectInternalAddresses 0
CountPrivateBandwidth 1
ExitPolicyRejectPrivate 0
+ ExtendAllowPrivateAddresses 1
V3AuthVotingInterval 5 minutes
V3AuthVoteDelay 20 seconds
V3AuthDistDelay 20 seconds
diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index 39a223b2f426f7113f5d1a2bb27c14668f5ca862..f11bebf7c9354c6ff84cbd2769c19e6b221f75cd 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -2432,6 +2432,13 @@ circuit_extend(cell_t *cell, circuit_t *circ)
return -1;
}
+ if (tor_addr_is_internal(&n_addr, 0) &&
+ !get_options()->ExtendAllowPrivateAddresses) {
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Client asked me to extend to a private address");
+ return -1;
+ }
+
/* Check if they asked us for 0000..0000. We support using
* an empty fingerprint for the first hop (e.g. for a bridge relay),
* but we don't want to let people send us extend cells for empty
diff --git a/src/or/config.c b/src/or/config.c
index 3970808fb30a53b8d37893c9ebcfdede9d787f6a..d5e80cc832856edbc25ce1cf187465cd8b173779 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -276,6 +276,7 @@ static config_var_t _option_vars[] = {
V(ExitPolicy, LINELIST, NULL),
V(ExitPolicyRejectPrivate, BOOL, "1"),
V(ExitPortStatistics, BOOL, "0"),
+ V(ExtendAllowPrivateAddresses, BOOL, "0"),
V(ExtraInfoStatistics, BOOL, "1"),
#if defined (WINCE)
@@ -473,6 +474,7 @@ static const config_var_t testing_tor_network_defaults[] = {
V(ClientRejectInternalAddresses, BOOL, "0"),
V(CountPrivateBandwidth, BOOL, "1"),
V(ExitPolicyRejectPrivate, BOOL, "0"),
+ V(ExtendAllowPrivateAddresses, BOOL, "1"),
V(V3AuthVotingInterval, INTERVAL, "5 minutes"),
V(V3AuthVoteDelay, INTERVAL, "20 seconds"),
V(V3AuthDistDelay, INTERVAL, "20 seconds"),
diff --git a/src/or/or.h b/src/or/or.h
index 908daa61c0a471898ea224c0e96bfd8185724494..9074083a0430306a7fe7dcac3f44b0d65f70ef2a 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -3029,8 +3029,10 @@ typedef struct {
config_line_t *RecommendedVersions;
config_line_t *RecommendedClientVersions;
config_line_t *RecommendedServerVersions;
- /** Whether dirservers refuse router descriptors with private IPs. */
+ /** Whether dirservers allow router descriptors with private IPs. */
int DirAllowPrivateAddresses;
+ /** Whether routers accept EXTEND cells to routers with private IPs. */
+ int ExtendAllowPrivateAddresses;
char *User; /**< Name of user to run Tor as. */
char *Group; /**< Name of group to run Tor as. */
config_line_t *ORPort_lines; /**< Ports to listen on for OR connections. */