dhcp: Fix destination port check in packet filter

The previous code compared the port in the packet to the client port and, if
successful, checked it also against the server port, which, therefore, never
matched, but due to incorrect offsets did skip the BPF_JA.  If the client port
didn't match the code also skipped to the instruction after the BPF_JA.
However, the latter was incorrect also and processing would have continued at
the next instruction anyway.  Basically, DHCP packets to any port were accepted.

What's not fixed with this is that the kernel returns an ICMP Port
unreachable for packets sent to the server port (67) because we don't
have a socket bound to it.

Fixes: f0212e8837b5 ("Accept DHCP replies on bootps port, as we act as a relay agent if server address configured")

diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
index 7541c3b4921f1bea6ab15d6d9e6a05b3796d5608..02aa298536d1e768c2b4ef54718ecb1c750b6ca4 100644 (file)
--- a/src/libcharon/plugins/dhcp/dhcp_socket.c
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -685,9 +685,9 @@ dhcp_socket_t *dhcp_socket_create()
                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, DHCP_SERVER_PORT, 0, 14),
                BPF_STMT(BPF_LD+BPF_H+BPF_ABS, sizeof(struct iphdr) +
                                 offsetof(struct udphdr, dest)),
-               BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, DHCP_CLIENT_PORT, 0, 2),
-               BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, DHCP_SERVER_PORT, 0, 1),
-               BPF_JUMP(BPF_JMP+BPF_JA, 0, 0, 10),
+               BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, DHCP_CLIENT_PORT, 2, 0),
+               BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, DHCP_SERVER_PORT, 1, 0),
+               BPF_JUMP(BPF_JMP+BPF_JA, 10, 0, 0),
                BPF_STMT(BPF_LD+BPF_B+BPF_ABS, sizeof(struct iphdr) +
                                 sizeof(struct udphdr) + offsetof(dhcp_t, opcode)),
                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, BOOTREPLY, 0, 8),