0
0
mirror of https://gitlab.nic.cz/labs/bird.git synced 2024-11-09 20:58:44 +00:00

BFD: Improve incoming packet matching

For active sessions, ignore received packets with zero local id and
mismatched remote id. That forces a session timeout instead of an
immediate session restart. It makes BFD sessions more resilient to
packet spoofing.

Thanks to André Grüneberg for the suggestion.
This commit is contained in:
Ondrej Zajicek 2023-01-22 23:42:08 +01:00 committed by Igor Putovny
parent 084f5381f1
commit 248b505e1f

View File

@ -374,6 +374,10 @@ bfd_rx_hook(sock *sk, uint len)
/* FIXME: better session matching and message */
if (!s)
return 1;
/* For active sessions we require matching remote id */
if ((s->loc_state == BFD_STATE_UP) && (ntohl(pkt->snd_id) != s->rem_id))
DROP("mismatched remote id", ntohl(pkt->snd_id));
}
/* bfd_check_authentication() has its own error logging */