farp: Ignore SAs with 0.0.0.0/0 remote traffic selector
authorTobias Brunner <tobias@strongswan.org>
Tue, 26 Nov 2019 16:43:57 +0000 (17:43 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 6 Dec 2019 09:06:16 +0000 (10:06 +0100)
This is mostly to avoid hijacking the local LAN if the farp plugin is
inadvertently active on a roadwarrior.

Fixes #3116.

src/libcharon/plugins/farp/farp_listener.c

index 377dda3..a48ede2 100644 (file)
@@ -75,6 +75,8 @@ METHOD(listener_t, child_updown, bool,
        enumerator_t *enumerator;
        traffic_selector_t *ts;
        entry_t *entry;
+       const chunk_t full_from = chunk_from_chars(0x00, 0x00, 0x00, 0x00),
+                                 full_to   = chunk_from_chars(0xff, 0xff, 0xff, 0xff);
 
        if (up)
        {
@@ -91,6 +93,13 @@ METHOD(listener_t, child_updown, bool,
                        {
                                continue;
                        }
+                       /* ignore 0.0.0.0/0 remote TS because we don't want to
+                        * reply to ARP requests for locally connected subnets */
+                       if (chunk_equals(ts->get_from_address(ts), full_from) &&
+                               chunk_equals(ts->get_to_address(ts), full_to))
+                       {
+                               continue;
+                       }
                        entry->remote->insert_last(entry->remote, ts->clone(ts));
                }
                enumerator->destroy(enumerator);