Source: tinyproxy Severity: important Dear Maintainer,
When setting a socks4 proxy as upstream to use with Tor, once you visit an onion address tinyproxy will crash. I helped upstream debug this, and it was fixed in the following two commits: https://github.com/tinyproxy/tinyproxy/commit/7ea9f80d3f31c85a4729854b47977e282632e6ed https://github.com/tinyproxy/tinyproxy/commit/563978a3ea4e8b51fcf547298dfdafc516e04526 An example debdiff: diff --git a/debian/changelog b/debian/changelog index 97d959e..d219c28 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +tinyproxy (1.10.0-5) unstable; urgency=medium + + * d/p/0001_fix-segfault-with-socks4.patch: + - Grab an upstream patch to fix a segfault when using socks4 with tor. + + -- Unit 193 <unit...@debian.org> Fri, 25 Jun 2021 00:59:55 -0400 + tinyproxy (1.10.0-4) unstable; urgency=medium * debian/tinyproxy.init: diff --git a/debian/patches/0001_fix-segfault-with-socks4.patch b/debian/patches/0001_fix-segfault-with-socks4.patch new file mode 100644 index 0000000..e69a8ca --- /dev/null +++ b/debian/patches/0001_fix-segfault-with-socks4.patch @@ -0,0 +1,51 @@ +From 7ea9f80d3f31c85a4729854b47977e282632e6ed Mon Sep 17 00:00:00 2001 +From: rofl0r <rof...@users.noreply.github.com> +Date: Fri, 25 Jun 2021 02:43:00 +0100 +Subject: [PATCH] fix segfault in socks4 upstream with unresolvable hostname + +using a socks4 tor upstream with an .onion url resulted in +gethostbyname() returning NULL and a subsequent segfault. +not only did the code not check the return value of gethostbyname(), +that resolver API itself isn't threadsafe. + +as pure SOCKS4 supports only IPv4 addresses, and the main SOCKS4 +user to this date is tor, we just use SOCKS4a unconditionally and +pass the hostname to the proxy without trying to do any local name +resolving. + +i suspect in 2021 almost all SOCKS4 proxy servers in existence use +SOCKS4a extension, but should i be wrong on this, i prefer issue +reports to show up and implement plain SOCKS4 fallback only when +i see it is actually used in practice. +--- + src/reqs.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/src/reqs.c 2021-06-25 01:00:13.026080096 -0400 ++++ b/src/reqs.c 2021-06-25 01:00:13.026080096 -0400 +@@ -1287,7 +1287,6 @@ + unsigned short port; + size_t ulen, passlen; + +- struct hostent *host; + struct upstream *cur_upstream = connptr->upstream_proxy; + + ulen = cur_upstream->ua.user ? strlen(cur_upstream->ua.user) : 0; +@@ -1304,10 +1303,13 @@ + buff[1] = 1; /* connect command */ + port = htons(request->port); + memcpy(&buff[2], &port, 2); /* dest port */ +- host = gethostbyname(request->host); +- memcpy(&buff[4], host->h_addr_list[0], 4); /* dest ip */ +- buff[8] = 0; /* user */ +- if (9 != safe_write(connptr->server_fd, buff, 9)) ++ memcpy(&buff[4], "\0\0\0\1" /* socks4a fake ip */ ++ "\0" /* user */, 5); ++ len = strlen(request->host); ++ if(len>255) ++ return -1; ++ memcpy(&buff[9], request->host, len+1); ++ if (9+len+1 != safe_write(connptr->server_fd, buff, 9+len+1)) + return -1; + if (8 != safe_read(connptr->server_fd, buff, 8)) + return -1; diff --git a/debian/patches/series b/debian/patches/series index 2093e6b..dd8047b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 1001_fix-select.patch 1002_fix-ftbfs-on-Hurd.patch 1003_fix-rereading-filter-conf-when-unprivileged.patch +0001_fix-segfault-with-socks4.patch -- System Information: Debian Release: 11.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-5-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
