BFD: Improve incoming packet matching

For active sessions, ignore received packets with zero local id and mismatched remote id. That forces a session timeout instead of an immediate session restart. It makes BFD sessions more resilient to packet spoofing. Thanks to André Grüneberg for the suggestion.
2024-11-08 12:18:42 +00:00 · 2023-01-22 23:42:08 +01:00 · 2023-01-22 23:42:08 +01:00 · 248b505e1f
commit 248b505e1f
parent 084f5381f1
1 changed files with 4 additions and 0 deletions
--- a/proto/bfd/packets.c
+++ b/proto/bfd/packets.c
@ -374,6 +374,10 @@ bfd_rx_hook(sock *sk, uint len)
    /* FIXME: better session matching and message */
    if (!s)
      return 1;
+
+    /* For active sessions we require matching remote id */
+    if ((s->loc_state == BFD_STATE_UP) && (ntohl(pkt->snd_id) != s->rem_id))
+      DROP("mismatched remote id", ntohl(pkt->snd_id));
  }

  /* bfd_check_authentication() has its own error logging */