From: John Lo Date: Mon, 25 Jun 2018 16:35:21 +0000 (-0400) Subject: Add checks for bad ARP request packets in arp-termination node X-Git-Tag: v18.07-rc1~113 X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F08%2F13208%2F3;p=vpp.git Add checks for bad ARP request packets in arp-termination node Check ARP request packet with bad requester MAC/IP address and drop these packets. Also removed useless VRRP check in the node. Change-Id: I2c8a774d291928eb623b3a515f1edf7e338fa760 Signed-off-by: John Lo --- diff --git a/src/vnet/ethernet/arp.c b/src/vnet/ethernet/arp.c index a17f7dae02b..c6f9324eabe 100644 --- a/src/vnet/ethernet/arp.c +++ b/src/vnet/ethernet/arp.c @@ -2324,7 +2324,6 @@ arp_term_l2bd (vlib_main_t * vm, u16 bd_index0; u32 ip0; u8 *macp0; - u8 is_vrrp_reply0; pi0 = from[0]; to_next[0] = pi0; @@ -2373,24 +2372,22 @@ arp_term_l2bd (vlib_main_t * vm, if (error0) goto drop; - is_vrrp_reply0 = - ((arp0->opcode == - clib_host_to_net_u16 (ETHERNET_ARP_OPCODE_reply)) - && - (!memcmp - (arp0->ip4_over_ethernet[0].ethernet, vrrp_prefix, - sizeof (vrrp_prefix)))); - /* Trash ARP packets whose ARP-level source addresses do not - match their L2-frame-level source addresses, unless it's - a reply from a VRRP virtual router */ + match, or if requester address is mcast */ if (PREDICT_FALSE (memcmp (eth0->src_address, arp0->ip4_over_ethernet[0].ethernet, - sizeof (eth0->src_address)) && !is_vrrp_reply0)) + sizeof (eth0->src_address)) || + ethernet_address_cast (arp0->ip4_over_ethernet[0].ethernet))) { error0 = ETHERNET_ARP_ERROR_l2_address_mismatch; goto drop; } + if (PREDICT_FALSE + (ip4_address_is_multicast (&arp0->ip4_over_ethernet[0].ip4))) + { + error0 = ETHERNET_ARP_ERROR_l3_src_address_not_local; + goto drop; + } /* Check if anyone want ARP request events for L2 BDs */ {