diff options
author | Ondrej Zajicek <santiago@crfreenet.org> | 2023-01-22 23:42:08 +0100 |
---|---|---|
committer | Ondrej Zajicek <santiago@crfreenet.org> | 2023-01-22 23:42:08 +0100 |
commit | 99872676df45f1a490d3d63f43081afb41477040 (patch) | |
tree | 15f2be0eb931a385a97e2168711e7e5053feaca9 | |
parent | a82683694da23799f247b3392a00efdd342afdfc (diff) |
BFD: Improve incoming packet matching
For active sessions, ignore received packets with zero local id and
mismatched remote id. That forces a session timeout instead of an
immediate session restart. It makes BFD sessions more resilient to
packet spoofing.
Thanks to André Grüneberg for the suggestion.
-rw-r--r-- | proto/bfd/packets.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/proto/bfd/packets.c b/proto/bfd/packets.c index 5f10734c..cb5f0d89 100644 --- a/proto/bfd/packets.c +++ b/proto/bfd/packets.c @@ -374,6 +374,10 @@ bfd_rx_hook(sock *sk, uint len) /* FIXME: better session matching and message */ if (!s) return 1; + + /* For active sessions we require matching remote id */ + if ((s->loc_state == BFD_STATE_UP) && (ntohl(pkt->snd_id) != s->rem_id)) + DROP("mismatched remote id", ntohl(pkt->snd_id)); } /* bfd_check_authentication() has its own error logging */ |