net: Do not apply whitelist permission to onion inbounds

mzumsande · vasild · mzumsande · commit f563ce90818d · 2025-09-16T13:35:34.000-04:00
Tor inbound connections do not reveal the peer's actual network address.
Therefore do not apply whitelist permissions to them.

Co-authored-by: Vasil Dimov &lt;vd@FreeBSD.org&gt;
diff --git a/src/net.cpp b/src/net.cpp
@@ -574,9 +574,9 @@ void CNode::CloseSocketDisconnect()
     m_i2p_sam_session.reset();
 }
 
-void CConnman::AddWhitelistPermissionFlags(NetPermissionFlags& flags, const CNetAddr &addr, const std::vector<NetWhitelistPermissions>& ranges) const {
+void CConnman::AddWhitelistPermissionFlags(NetPermissionFlags& flags, std::optional<CNetAddr> addr, const std::vector<NetWhitelistPermissions>& ranges) const {
     for (const auto& subnet : ranges) {
-        if (subnet.m_subnet.Match(addr)) {
+        if (addr.has_value() && subnet.m_subnet.Match(addr.value())) {
             NetPermissions::AddFlag(flags, subnet.m_flags);
         }
     }
@@ -1768,7 +1768,11 @@ void CConnman::CreateNodeFromAcceptedSocket(std::unique_ptr<Sock>&& sock,
 {
     int nInbound = 0;
 
-    AddWhitelistPermissionFlags(permission_flags, addr, vWhitelistedRangeIncoming);
+    const bool inbound_onion = std::find(m_onion_binds.begin(), m_onion_binds.end(), addr_bind) != m_onion_binds.end();
+
+    // Tor inbound connections do not reveal the peer's actual network address.
+    // Therefore do not apply address-based whitelist permissions to them.
+    AddWhitelistPermissionFlags(permission_flags, inbound_onion ? std::optional<CNetAddr>{} : addr, vWhitelistedRangeIncoming);
 
     {
         LOCK(m_nodes_mutex);
@@ -1823,7 +1827,6 @@ void CConnman::CreateNodeFromAcceptedSocket(std::unique_ptr<Sock>&& sock,
     NodeId id = GetNewNodeId();
     uint64_t nonce = GetDeterministicRandomizer(RANDOMIZER_ID_LOCALHOSTNONCE).Write(id).Finalize();
 
-    const bool inbound_onion = std::find(m_onion_binds.begin(), m_onion_binds.end(), addr_bind) != m_onion_binds.end();
     // The V2Transport transparently falls back to V1 behavior when an incoming V1 connection is
     // detected, so use it whenever we signal NODE_P2P_V2.
     ServiceFlags local_services = GetLocalServices();
diff --git a/src/net.h b/src/net.h
@@ -1377,7 +1377,7 @@ class CConnman
 
     bool AttemptToEvictConnection();
     CNode* ConnectNode(CAddress addrConnect, const char *pszDest, bool fCountFailure, ConnectionType conn_type, bool use_v2transport) EXCLUSIVE_LOCKS_REQUIRED(!m_unused_i2p_sessions_mutex);
-    void AddWhitelistPermissionFlags(NetPermissionFlags& flags, const CNetAddr &addr, const std::vector<NetWhitelistPermissions>& ranges) const;
+    void AddWhitelistPermissionFlags(NetPermissionFlags& flags, std::optional<CNetAddr> addr, const std::vector<NetWhitelistPermissions>& ranges) const;
 
     void DeleteNode(CNode* pnode);
 

Original file line number	Diff line number	Diff line change
`@@ -574,9 +574,9 @@ void CNode::CloseSocketDisconnect()`
`574`	`574`	`m_i2p_sam_session.reset();`
`575`	`575`	`}`
`576`	`576`
`577`		`-void CConnman::AddWhitelistPermissionFlags(NetPermissionFlags& flags, const CNetAddr &addr, const std::vector<NetWhitelistPermissions>& ranges) const {`
	`577`	`+void CConnman::AddWhitelistPermissionFlags(NetPermissionFlags& flags, std::optional<CNetAddr> addr, const std::vector<NetWhitelistPermissions>& ranges) const {`
`578`	`578`	`for (const auto& subnet : ranges) {`
`579`		`- if (subnet.m_subnet.Match(addr)) {`
	`579`	`+ if (addr.has_value() && subnet.m_subnet.Match(addr.value())) {`
`580`	`580`	`NetPermissions::AddFlag(flags, subnet.m_flags);`
`581`	`581`	`}`
`582`	`582`	`}`
`@@ -1768,7 +1768,11 @@ void CConnman::CreateNodeFromAcceptedSocket(std::unique_ptr<Sock>&& sock,`
`1768`	`1768`	`{`
`1769`	`1769`	`int nInbound = 0;`
`1770`	`1770`
`1771`		`- AddWhitelistPermissionFlags(permission_flags, addr, vWhitelistedRangeIncoming);`
	`1771`	`+ const bool inbound_onion = std::find(m_onion_binds.begin(), m_onion_binds.end(), addr_bind) != m_onion_binds.end();`
	`1772`	`+`
	`1773`	`+ // Tor inbound connections do not reveal the peer's actual network address.`
	`1774`	`+ // Therefore do not apply address-based whitelist permissions to them.`
	`1775`	`+ AddWhitelistPermissionFlags(permission_flags, inbound_onion ? std::optional<CNetAddr>{} : addr, vWhitelistedRangeIncoming);`
`1772`	`1776`
`1773`	`1777`	`{`
`1774`	`1778`	`LOCK(m_nodes_mutex);`
`@@ -1823,7 +1827,6 @@ void CConnman::CreateNodeFromAcceptedSocket(std::unique_ptr<Sock>&& sock,`
`1823`	`1827`	`NodeId id = GetNewNodeId();`
`1824`	`1828`	`uint64_t nonce = GetDeterministicRandomizer(RANDOMIZER_ID_LOCALHOSTNONCE).Write(id).Finalize();`
`1825`	`1829`
`1826`		`- const bool inbound_onion = std::find(m_onion_binds.begin(), m_onion_binds.end(), addr_bind) != m_onion_binds.end();`
`1827`	`1830`	`// The V2Transport transparently falls back to V1 behavior when an incoming V1 connection is`
`1828`	`1831`	`// detected, so use it whenever we signal NODE_P2P_V2.`
`1829`	`1832`	`ServiceFlags local_services = GetLocalServices();`