From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 26 Nov 2019 16:43:57 +0000 (+0100)
Subject: farp: Ignore SAs with 0.0.0.0/0 remote traffic selector
X-Git-Tag: 5.8.2rc1~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7035340b213f3826d3d08c6081091806a175966c;p=thirdparty%2Fstrongswan.git

farp: Ignore SAs with 0.0.0.0/0 remote traffic selector

This is mostly to avoid hijacking the local LAN if the farp plugin is
inadvertently active on a roadwarrior.

Fixes #3116.
---

diff --git a/src/libcharon/plugins/farp/farp_listener.c b/src/libcharon/plugins/farp/farp_listener.c
index 377dda3660..a48ede26e6 100644
--- a/src/libcharon/plugins/farp/farp_listener.c
+++ b/src/libcharon/plugins/farp/farp_listener.c
@@ -75,6 +75,8 @@ METHOD(listener_t, child_updown, bool,
 	enumerator_t *enumerator;
 	traffic_selector_t *ts;
 	entry_t *entry;
+	const chunk_t full_from = chunk_from_chars(0x00, 0x00, 0x00, 0x00),
+				  full_to   = chunk_from_chars(0xff, 0xff, 0xff, 0xff);
 
 	if (up)
 	{
@@ -91,6 +93,13 @@ METHOD(listener_t, child_updown, bool,
 			{
 				continue;
 			}
+			/* ignore 0.0.0.0/0 remote TS because we don't want to
+			 * reply to ARP requests for locally connected subnets */
+			if (chunk_equals(ts->get_from_address(ts), full_from) &&
+				chunk_equals(ts->get_to_address(ts), full_to))
+			{
+				continue;
+			}
 			entry->remote->insert_last(entry->remote, ts->clone(ts));
 		}
 		enumerator->destroy(enumerator);