mirror of
https://gitlab.nic.cz/labs/bird.git
synced 2024-11-09 20:58:44 +00:00
BFD: Improve incoming packet matching
For active sessions, ignore received packets with zero local id and mismatched remote id. That forces a session timeout instead of an immediate session restart. It makes BFD sessions more resilient to packet spoofing. Thanks to André Grüneberg for the suggestion.
This commit is contained in:
parent
084f5381f1
commit
248b505e1f
@ -374,6 +374,10 @@ bfd_rx_hook(sock *sk, uint len)
|
||||
/* FIXME: better session matching and message */
|
||||
if (!s)
|
||||
return 1;
|
||||
|
||||
/* For active sessions we require matching remote id */
|
||||
if ((s->loc_state == BFD_STATE_UP) && (ntohl(pkt->snd_id) != s->rem_id))
|
||||
DROP("mismatched remote id", ntohl(pkt->snd_id));
|
||||
}
|
||||
|
||||
/* bfd_check_authentication() has its own error logging */
|
||||
|
Loading…
Reference in New Issue
Block a user