From: Ondrej Zajicek <santiago@crfreenet.org>
Date: Sun, 22 Jan 2023 22:42:08 +0000 (+0100)
Subject: BFD: Improve incoming packet matching
X-Git-Tag: v2.0.12~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=99872676df45f1a490d3d63f43081afb41477040;p=thirdparty%2Fbird.git

BFD: Improve incoming packet matching

For active sessions, ignore received packets with zero local id and
mismatched remote id. That forces a session timeout instead of an
immediate session restart. It makes BFD sessions more resilient to
packet spoofing.

Thanks to André Grüneberg for the suggestion.
---

diff --git a/proto/bfd/packets.c b/proto/bfd/packets.c
index 5f10734ce..cb5f0d890 100644
--- a/proto/bfd/packets.c
+++ b/proto/bfd/packets.c
@@ -374,6 +374,10 @@ bfd_rx_hook(sock *sk, uint len)
     /* FIXME: better session matching and message */
     if (!s)
       return 1;
+
+    /* For active sessions we require matching remote id */
+    if ((s->loc_state == BFD_STATE_UP) && (ntohl(pkt->snd_id) != s->rem_id))
+      DROP("mismatched remote id", ntohl(pkt->snd_id));
   }
 
   /* bfd_check_authentication() has its own error logging */