From c0482d5a8a5f7596bf26dd9268cd55dd145c7ec4 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Thu, 29 Feb 2024 11:47:37 +0100
Subject: [PATCH] daemon/io: ignore UDP requests from ports < 1024

---
 NEWS        | 1 +
 daemon/io.c | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/NEWS b/NEWS
index c0fd0dcae..f44cb99a4 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,7 @@ Improvements
 ------------
 - manager: clear the cache via management HTTP API (#876,!1491)
 - docs: documentation is now separated into user and developer parts (!1514)
+- daemon: ignore UDP requests from ports < 1024 (!1507)
 
 Bugfixes
 --------
diff --git a/daemon/io.c b/daemon/io.c
index ac9a08e03..ea98a7f0e 100644
--- a/daemon/io.c
+++ b/daemon/io.c
@@ -80,6 +80,14 @@ void udp_recv(uv_udp_t *handle, ssize_t nread, const uv_buf_t *buf,
 		}
 	}
 
+	// We're aware of no use cases for low source ports,
+	// and they might be useful for attacks with spoofed source IPs.
+	if (!s->outgoing && kr_inaddr_port(comm_addr) < 1024) {
+		kr_log_debug(IO, "<= ignoring UDP from suspicious port: '%s'\n",
+				kr_straddr(comm_addr));
+		return;
+	}
+
 	int ret = wire_buf_consume(&s->layers->wire_buf, nread);
 	if (ret) {
 		wire_buf_reset(&s->layers->wire_buf);
-- 
2.47.2