summaryrefslogtreecommitdiff
path: root/proto/bfd/packets.c
diff options
context:
space:
mode:
authorOndrej Zajicek <santiago@crfreenet.org>2023-01-22 23:42:08 +0100
committerOndrej Zajicek <santiago@crfreenet.org>2023-01-22 23:42:08 +0100
commit99872676df45f1a490d3d63f43081afb41477040 (patch)
tree15f2be0eb931a385a97e2168711e7e5053feaca9 /proto/bfd/packets.c
parenta82683694da23799f247b3392a00efdd342afdfc (diff)
BFD: Improve incoming packet matching
For active sessions, ignore received packets with zero local id and mismatched remote id. That forces a session timeout instead of an immediate session restart. It makes BFD sessions more resilient to packet spoofing. Thanks to André Grüneberg for the suggestion.
Diffstat (limited to 'proto/bfd/packets.c')
-rw-r--r--proto/bfd/packets.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/proto/bfd/packets.c b/proto/bfd/packets.c
index 5f10734c..cb5f0d89 100644
--- a/proto/bfd/packets.c
+++ b/proto/bfd/packets.c
@@ -374,6 +374,10 @@ bfd_rx_hook(sock *sk, uint len)
/* FIXME: better session matching and message */
if (!s)
return 1;
+
+ /* For active sessions we require matching remote id */
+ if ((s->loc_state == BFD_STATE_UP) && (ntohl(pkt->snd_id) != s->rem_id))
+ DROP("mismatched remote id", ntohl(pkt->snd_id));
}
/* bfd_check_authentication() has its own error logging */