From 99872676df45f1a490d3d63f43081afb41477040 Mon Sep 17 00:00:00 2001 From: Ondrej Zajicek Date: Sun, 22 Jan 2023 23:42:08 +0100 Subject: BFD: Improve incoming packet matching MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For active sessions, ignore received packets with zero local id and mismatched remote id. That forces a session timeout instead of an immediate session restart. It makes BFD sessions more resilient to packet spoofing. Thanks to André Grüneberg for the suggestion. --- proto/bfd/packets.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/proto/bfd/packets.c b/proto/bfd/packets.c index 5f10734c..cb5f0d89 100644 --- a/proto/bfd/packets.c +++ b/proto/bfd/packets.c @@ -374,6 +374,10 @@ bfd_rx_hook(sock *sk, uint len) /* FIXME: better session matching and message */ if (!s) return 1; + + /* For active sessions we require matching remote id */ + if ((s->loc_state == BFD_STATE_UP) && (ntohl(pkt->snd_id) != s->rem_id)) + DROP("mismatched remote id", ntohl(pkt->snd_id)); } /* bfd_check_authentication() has its own error logging */ -- cgit v1.2.3