daemon/io: ignore UDP requests from ports < 1024

diff --git a/NEWS b/NEWS
index c0fd0dcaefdb98209972ba8e368125d25c094876..f44cb99a43c4905ba722768500c66bd1af526921 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,7 @@ Improvements
 ------------
 - manager: clear the cache via management HTTP API (#876,!1491)
 - docs: documentation is now separated into user and developer parts (!1514)
+- daemon: ignore UDP requests from ports < 1024 (!1507)
 
 Bugfixes
 --------

diff --git a/daemon/io.c b/daemon/io.c
index ac9a08e03737f223da3d35df01e5170c60dfb12a..ea98a7f0e65bc79e84b3b253a98a5dd1dad99ed5 100644 (file)
--- a/daemon/io.c
+++ b/daemon/io.c
@@ -80,6 +80,14 @@ void udp_recv(uv_udp_t *handle, ssize_t nread, const uv_buf_t *buf,
                }
        }
 
+       // We're aware of no use cases for low source ports,
+       // and they might be useful for attacks with spoofed source IPs.
+       if (!s->outgoing && kr_inaddr_port(comm_addr) < 1024) {
+               kr_log_debug(IO, "<= ignoring UDP from suspicious port: '%s'\n",
+                               kr_straddr(comm_addr));
+               return;
+       }
+
        int ret = wire_buf_consume(&s->layers->wire_buf, nread);
        if (ret) {
                wire_buf_reset(&s->layers->wire_buf);