@@ -363,8 +363,7 @@ static int is_dns_port(unsigned short port) {
363363/**************************************************************************************************************************************************************/
364364/******* HOOK FUNCTIONS *************************************************************************************************************************************/
365365
366- int connect (int sock , const struct sockaddr * addr , socklen_t len ) {
367-
366+ int connect (int sock , const struct sockaddr * addr , socklen_t len ) {
368367 PDEBUG ("\n\n\n\n\n\n\n\n\n\n\n\n...CONNECT........................................................................................................... \n\n" );
369368
370369 int socktype = 0 , flags = 0 , ret = 0 ;
@@ -425,36 +424,22 @@ int connect(int sock, const struct sockaddr *addr, socklen_t len) {
425424 PDEBUG("connect: noip... ignoring\n");
426425 return true_connect(sock, addr, len);
427426 }*/
428-
429- //Block other sock
430- //WARNING NORMALLY I DONT BLOCK THESE...
431- if (SOCKFAMILY (* addr ) != AF_INET ) {
432- if (proxybound_allow_leak ) {
433- PDEBUG ("connect: allowing direct non tcp connect()\n" );
434- return true_connect (sock , addr , len );
435- } else {
436- PDEBUG ("connect: blocking direct non tcp connect() \n" );
437- if (!port ) return -1 ;
438- if ((proxybound_allow_dns ) && (is_dns_port (port ))) {return true_connect (sock , addr , len );}
439- else {return -1 ;}
440- return -1 ; //Au cas ou
441- }
442- }
443-
444- //Block udp etc. (socktype == SOCK_DGRAM) is non local udp bind already handled bellow
427+
445428 //SOCK_STREAM
446429 //SOCK_DGRAM
447430 //SOCK_SEQPACKET
448431 //SOCK_RAW
449432 //SOCK_RDM
450433 //SOCK_PACKET
451- if (socktype != SOCK_STREAM ) {
434+ //Block unsupported sock
435+ //WARNING: this block other unrelated network connect
436+ if ((socktype != SOCK_STREAM ) || (SOCKFAMILY (* addr ) != AF_INET )) {
452437 if (proxybound_allow_leak ) {
453438 PDEBUG ("connect: allowing direct udp connect()\n" );
454439 return true_connect (sock , addr , len );
455440 } else {
456- PDEBUG ("connect: blocking direct udp connect() \n" );
457- if (!port ) return -1 ;
441+ PDEBUG ("connect: blocking direct udp connect()\n" );
442+ if (!port ) { return -1 ;}
458443 if ((proxybound_allow_dns ) && (is_dns_port (port ))) {return true_connect (sock , addr , len );}
459444 else {return -1 ;}
460445 return -1 ; //Au cas ou
@@ -474,11 +459,8 @@ int connect(int sock, const struct sockaddr *addr, socklen_t len) {
474459 }
475460
476461 flags = fcntl (sock , F_GETFL , 0 );
477- if (flags & O_NONBLOCK )
478- fcntl (sock , F_SETFL , !O_NONBLOCK );
479-
462+ if (flags & O_NONBLOCK ) {fcntl (sock , F_SETFL , !O_NONBLOCK );}
480463 dest_ip .as_int = SOCKADDR (* addr );
481-
482464 ret = connect_proxy_chain (sock , dest_ip , SOCKPORT (* addr ), proxybound_pd , proxybound_proxy_count , proxybound_ct , proxybound_max_chain );
483465
484466 fcntl (sock , F_SETFL , flags );
@@ -490,20 +472,13 @@ int connect(int sock, const struct sockaddr *addr, socklen_t len) {
490472//int connect(int sock, const struct sockaddr *addr, socklen_t len)
491473int bind (int sockfd , const struct sockaddr * addr , socklen_t addrlen ) {
492474 PDEBUG ("bind: got a bind request ------------------------\n" );
493- //return true_bind(sockfd, addr, addrlen);
494475
495476 /* If the real bind doesn't exist, we're stuffed */
496477 if (true_bind == NULL ) {
497478 PDEBUG ("bind: unresolved symbol: bind\n" );
498479 return -1 ;
499- }
480+ }
500481
501- // ------------------------------------------------------------------------------------
502- // Borrowed from connect function and adapted
503-
504- //proxify variables
505- //ip_type dest_ip;
506- //int ret = 0, flags = 0;
507482 int socktype = 0 ;
508483 socklen_t optlen = 0 ;
509484 char ip [256 ];
@@ -567,14 +542,6 @@ int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
567542 }
568543 }
569544
570- //Block udp etc. (socktype == SOCK_DGRAM) is non local udp bind already handled bellow
571- //SOCK_STREAM
572- //SOCK_DGRAM
573- //SOCK_SEQPACKET
574- //SOCK_RAW
575- //SOCK_RDM
576- //SOCK_PACKET
577-
578545 #ifdef DEBUG
579546 PDEBUG ("------------------------------- \n" );
580547 PDEBUG ("bind() sock SOCK_STREAM = %d\n" ,SOCK_STREAM );
@@ -589,44 +556,53 @@ int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
589556 PDEBUG ("------------------------------- \n" );
590557 #endif
591558
592- //Required to proxify the connection
559+ //Required for proxify
593560 //Type Raw, 0.0.0.0, MSG_PROXY
594561 //if ((socktype == SOCK_RAW) && (SOCKFAMILY(*addr) == MSG_PROXY)) {
595562 if ((SOCKFAMILY (* addr ) == MSG_PROXY )) {
596563 if ((ip [0 ] == '0' ) && (ip [1 ] == '.' ) && (ip [2 ] == '0' ) && (ip [3 ] == '.' ) && (ip [4 ] == '0' ) && (ip [5 ] == '.' ) && (ip [6 ] == '0' )) {
597- PDEBUG ("bind: bind allowing Raw , 0.0.0.0, MSG_PROXY...\n" );
564+ PDEBUG ("bind: bind allowing, 0.0.0.0, MSG_PROXY...\n" );
598565 return true_bind (sockfd , addr , addrlen );
599566 }
600567 }
601568
569+ //SOCK_STREAM
570+ //SOCK_DGRAM
571+ //SOCK_SEQPACKET
572+ //SOCK_RAW
573+ //SOCK_RDM
574+ //SOCK_PACKET
575+ //Block unsupported sock
576+ //WARNING: this block other unrelated network connect
602577 if (socktype != SOCK_STREAM ) {
603578 if (proxybound_allow_leak ) {
604579 PDEBUG ("bind: allowing direct udp bind()\n" );
605580 return true_bind (sockfd , addr , addrlen );
606581 } else {
607582 PDEBUG ("bind: blocking direct udp bind()\n" );
608- if (!port ) return -1 ;
583+ if (!port ) { PDEBUG ( "bind: blocking direct udp bind()\n" ); return -1 ;}
609584 if ((proxybound_allow_dns ) && (is_dns_port (port ))) {return true_bind (sockfd , addr , addrlen );}
610- else {return -1 ;}
585+ else {
586+ PDEBUG ("bind: blocking direct udp bind()\n" );
587+ return -1 ;
588+ }
589+ PDEBUG ("bind: blocking direct udp bind()\n" );
611590 return -1 ; //Au cas ou
612591 }
613592 } else {
614593 //SOCK_STREAM TCP
615594 return true_bind (sockfd , addr , addrlen );
616595 }
617596
618- return true_bind (sockfd , addr , addrlen );
597+ if (proxybound_allow_leak ) {
598+ return true_bind (sockfd , addr , addrlen );
599+ } else {
600+ PDEBUG ("bind: blocking direct udp bind()\n" );
601+ return -1 ;
602+ }
619603
620- //proxify connect function
621- /*flags = fcntl(sockfd, F_GETFL, 0);
622- if(flags & O_NONBLOCK)
623- fcntl(sockfd, F_SETFL, !O_NONBLOCK);
624- dest_ip.as_int = SOCKADDR(*addr);
625- ret = connect_proxy_chain(sockfd, dest_ip, SOCKPORT(*addr), proxybound_pd, proxybound_proxy_count, proxybound_ct, proxybound_max_chain);
626- fcntl(sockfd, F_SETFL, flags);
627- if(ret != SUCCESS)
628- errno = ECONNREFUSED;
629- return ret;*/
604+ PDEBUG ("bind: blocking direct udp bind()\n" );
605+ return -1 ;
630606}
631607
632608ssize_t sendto (int sockfd , const void * buf , size_t len , int flags , const struct sockaddr * dest_addr , socklen_t addrlen ) {
@@ -645,52 +621,70 @@ ssize_t sendto(int sockfd, const void *buf, size_t len, int flags, const struct
645621 connaddr = (struct sockaddr_in * ) dest_addr ;
646622
647623 if (!connaddr ) {
624+ PDEBUG ("sendto: no dest_addr, allowing\n" );
648625 return true_sendto (sockfd , buf , len , flags , * dest_addr , addrlen );
649626 }
650627
651628 if (connaddr -> sin_family == AF_UNIX ) {
629+ PDEBUG ("sendto: allowing unix\n" );
652630 return true_sendto (sockfd , buf , len , flags , * dest_addr , addrlen );
653631 }
654632
655633 /* Get the type of the socket */
656634 getsockopt (sockfd , SOL_SOCKET , SO_TYPE , (void * ) & sock_type , & sock_type_len );
657635
658- //WARNING NORMALLY I DONT BLOCK THEASE != AF_INET...
636+ //SOCK_STREAM
637+ //SOCK_DGRAM
638+ //SOCK_SEQPACKET
639+ //SOCK_RAW
640+ //SOCK_RDM
641+ //SOCK_PACKET
642+ //Block unsupported sock
643+ //WARNING: this block other unrelated network connect
659644 if ((connaddr -> sin_family != AF_INET ) || (sock_type != SOCK_STREAM )) {
660- PDEBUG ("sendto: is on a udp stream\n" );
661-
645+ PDEBUG ("sendto: is on a udp/unsupported stream\n" );
662646 char ip [256 ];
663647 struct in_addr * p_addr_in ;
664-
665648 p_addr_in = & ((struct sockaddr_in * ) connaddr )-> sin_addr ;
666649 inet_ntop (AF_INET , p_addr_in , ip , sizeof (ip ));
667-
668650 PDEBUG ("sendto: ip: %s\n" ,ip );
669651
670652 //Allow local
671- if ((ip [0 ] == '1' ) && (ip [1 ] == '2' ) && (ip [2 ] == '7' ) && (ip [3 ] == '.' ))
653+ if ((ip [0 ] == '1' ) && (ip [1 ] == '2' ) && (ip [2 ] == '7' ) && (ip [3 ] == '.' )) {
654+ PDEBUG ("sendto: allowing local 127.0.0.1\n" );
672655 return true_sendto (sockfd , buf , len , flags , * dest_addr , addrlen );
673- else
674- PDEBUG ("sendto: is on a udp stream with a non-local destination, may be a dns request: rejecting.\n" );
656+ }
675657
676658 //Blocking the connection
677- if (proxybound_allow_leak ) PDEBUG ("sendto: allowing direct udp sendto()\n" ); else {
659+ if (proxybound_allow_leak ) {
660+ PDEBUG ("sendto: allowing direct udp sendto()\n" );
661+ } else {
678662 unsigned short port ;
679663 port = ntohs (((struct sockaddr_in * ) connaddr )-> sin_port );
680- if (!port ) return -1 ;
664+ if (!port ) { PDEBUG ( "sendto: rejecting.\n" ); return -1 ;}
681665 if ((proxybound_allow_dns ) && (is_dns_port (port ))) {return true_sendto (sockfd , buf , len , flags , * dest_addr , addrlen );}
682- else {return -1 ;}
666+ else {
667+ PDEBUG ("sendto: rejecting.\n" );
668+ return -1 ;
669+ }
670+ PDEBUG ("sendto: rejecting.\n" );
683671 return -1 ; //Au cas ou
684672 }
685673 } else {
686674 return true_sendto (sockfd , buf , len , flags , * dest_addr , addrlen );
687675 //return (ssize_t) true_sendto(sockfd, buf, len, flags, *dest_addr, addrlen);
688676 }
689- return -1 ;
677+
678+ if (proxybound_allow_leak ) {
679+ return true_sendto (sockfd , buf , len , flags , * dest_addr , addrlen );
680+ } else {
681+ PDEBUG ("sendto: rejecting.\n" );
682+ return -1 ;
683+ }
690684}
691685
692686ssize_t send (int sockfd , const void * buf , size_t len , int flags ) {
693- PDEBUG ("send: got send request --------------------------\n" );
687+ // PDEBUG("send: got send request --------------------------\n"); //avoid too talkative logs
694688 //The send() call may be used only when the socket is in a connected state (so that the intended recipient is known)
695689 //To avoid any hack this is watched for leak too
696690
@@ -700,7 +694,6 @@ ssize_t send(int sockfd, const void *buf, size_t len, int flags) {
700694 return -1 ;
701695 }
702696
703- //return true_send(sockfd, buf, len, flags);
704697 if (proxybound_allow_leak ) {
705698 PDEBUG ("send: allowing direct send()\n" );
706699 return true_send (sockfd , buf , len , flags );
@@ -713,19 +706,22 @@ ssize_t send(int sockfd, const void *buf, size_t len, int flags) {
713706 /* Get the type of the socket */
714707 getsockopt (sockfd , SOL_SOCKET , SO_TYPE , (void * ) & sock_type , & sock_type_len );
715708
709+ //SOCK_STREAM
710+ //SOCK_DGRAM
711+ //SOCK_SEQPACKET
712+ //SOCK_RAW
713+ //SOCK_RDM
714+ //SOCK_PACKET
715+ //Block unsupported sock
716+ //TODO may block dns here
717+ //WARNING: this block other unrelated network connect
716718 if (sock_type != SOCK_STREAM ) {
717- //SOCK_STREAM
718- //SOCK_DGRAM
719- //SOCK_SEQPACKET
720- //SOCK_RAW
721- //SOCK_RDM
722- //SOCK_PACKET
723719 PDEBUG ("send: blocking send request type SOCK_DGRAM/SOCK_SEQPACKET/SOCK_RAW/SOCK_RDM/SOCK_PACKET\n" );
724720 return -1 ;
725- //TODO may block dns here
726721 } else {
727722 return true_send (sockfd , buf , len , flags );
728- }
723+ }
724+ PDEBUG ("send: blocking send request" );
729725 return -1 ;
730726 }
731727}
@@ -746,17 +742,26 @@ ssize_t sendmsg(int sockfd, const struct msghdr *msg, int flags) {
746742 connaddr = (struct sockaddr_in * ) msg -> msg_name ;
747743
748744 if (!connaddr ) {
745+ PDEBUG ("sendmsg: no msg_name (dest), allowing\n" );
749746 return true_sendmsg (sockfd , msg , flags );
750747 }
751748
752749 if (connaddr -> sin_family == AF_UNIX ) {
750+ PDEBUG ("sendmsg: allowing unix\n" );
753751 return true_sendmsg (sockfd , msg , flags );
754752 }
755753
756754 /* Get the type of the socket */
757755 getsockopt (sockfd , SOL_SOCKET , SO_TYPE , (void * ) & sock_type , & sock_type_len );
758756
759- //WARNING NORMALLY I DONT BLOCK THEASE != AF_INET...
757+ //SOCK_STREAM
758+ //SOCK_DGRAM
759+ //SOCK_SEQPACKET
760+ //SOCK_RAW
761+ //SOCK_RDM
762+ //SOCK_PACKET
763+ //Block unsupported sock
764+ //WARNING: this block other unrelated network connect
760765 if ((connaddr -> sin_family != AF_INET ) || (sock_type != SOCK_STREAM )) {
761766 PDEBUG ("sendmsg: is on a udp stream\n" );
762767
@@ -769,29 +774,35 @@ ssize_t sendmsg(int sockfd, const struct msghdr *msg, int flags) {
769774 PDEBUG ("sendmsg: ip: %s\n" ,ip );
770775
771776 //Allow local
772- if ((ip [0 ] == '1' ) && (ip [1 ] == '2' ) && (ip [2 ] == '7' ) && (ip [3 ] == '.' ))
777+ if ((ip [0 ] == '1' ) && (ip [1 ] == '2' ) && (ip [2 ] == '7' ) && (ip [3 ] == '.' )) {
778+ PDEBUG ("sendmsg: allowing local 127.0.0.1\n" );
773779 return true_sendmsg (sockfd , msg , flags );
774- else
775- PDEBUG ("sendmsg: is on a udp stream with a non-local destination, may be a dns request: rejecting.\n" );
780+ }
776781
777782 //Blocking the connection
778- if (proxybound_allow_leak ) PDEBUG ("sendmsg: allowing direct udp sendmsg()\n" ); else {
783+ if (proxybound_allow_leak ) {
784+ PDEBUG ("sendmsg: allowing direct udp sendmsg()\n" );
785+ } else {
779786 unsigned short port ;
780787 port = ntohs (((struct sockaddr_in * ) connaddr )-> sin_port );
781- if (!port ) return -1 ;
788+ if (!port ) { PDEBUG ( "sendmsg: blocking\n" ); return -1 ;}
782789 if ((proxybound_allow_dns ) && (is_dns_port (port ))) {return true_sendmsg (sockfd , msg , flags );}
783- else {return -1 ;}
790+ else {PDEBUG ("sendmsg: blocking\n" ); return -1 ;}
791+ PDEBUG ("sendmsg: blocking\n" );
784792 return -1 ; //Au cas ou
785793 }
786794
787795 } else {
788796 return true_sendmsg (sockfd , msg , flags );
789- //return (ssize_t) true_sendmsg(sockfd, msg, flags);;
790- //ssize_t ret;
791- //ret = true_sendmsg(sockfd, msg, flags);
792- //return ret;
797+ //return (ssize_t) true_sendmsg(sockfd, msg, flags);
798+ }
799+
800+ if (proxybound_allow_leak ) {
801+ return true_sendmsg (sockfd , msg , flags );
802+ } else {
803+ PDEBUG ("sendmsg: blocking\n" );
804+ return -1 ;
793805 }
794- return -1 ;
795806}
796807
797808//TODO: DNS LEAK: OTHER RESOLVER FUNCTION
0 commit comments