mirrors/bird
mirrors/bird
0
0
Fork 0
mirror of https://gitlab.nic.cz/labs/bird.git synced 2024-11-09 20:58:44 +00:00
Code Releases Activity

BFD: Improve incoming packet matching

Browse Source 
For active sessions, ignore received packets with zero local id and
mismatched remote id. That forces a session timeout instead of an
immediate session restart. It makes BFD sessions more resilient to
packet spoofing.

Thanks to André Grüneberg for the suggestion.
This commit is contained in:
Ondrej Zajicek 2023-01-22 23:42:08 +01:00 committed by Igor Putovny
parent 084f5381f1
commit 248b505e1f
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
proto/bfd/packets.c
View File

@ -374,6 +374,10 @@ bfd_rx_hook(sock *sk, uint len)
/* FIXME: better session matching and message */ /* FIXME: better session matching and message */
if (!s) if (!s)
return 1; return 1;
/* For active sessions we require matching remote id */
if ((s->loc_state == BFD_STATE_UP) && (ntohl(pkt->snd_id) != s->rem_id))
DROP("mismatched remote id", ntohl(pkt->snd_id));
} }
/* bfd_check_authentication() has its own error logging */ /* bfd_check_authentication() has its own error logging */