BFD: Improve incoming packet matching

For active sessions, ignore received packets with zero local id and mismatched remote id. That forces a session timeout instead of an immediate session restart. It makes BFD sessions more resilient to packet spoofing. Thanks to André Grüneberg for the suggestion.

BFD: Improve incoming packet matching
99872676 · Ondřej Zajíček · a8268369 · 99872676
Commit 99872676 authored 2 years ago by Ondřej Zajíček
--- a/proto/bfd/packets.c
+++ b/proto/bfd/packets.c
@@ -374,6 +374,10 @@ bfd_rx_hook(sock *sk, uint len)
    /* FIXME: better session matching and message */
    if (!s)
      return 1;
+
+    /* For active sessions we require matching remote id */
+    if ((s->loc_state == BFD_STATE_UP) && (ntohl(pkt->snd_id) != s->rem_id))
+      DROP("mismatched remote id", ntohl(pkt->snd_id));
  }

  /* bfd_check_authentication() has its own error logging */