nhrpd: fixes duplicate auth extension

When an NHRP peer was forwarding a message, it was copying all extensions from the originally received packet. The authentication extension must be regenerated hop by hop per RFC2332. This fix checks for the auth extension when copying extensions and omits the original packet auth and instead regenerates a new auth extension. Fix bug #16507 Signed-off-by: Denys Haryachyy <garyachy@gmail.com>
author: Denys Haryachyy <garyachy@gmail.com> 2024-09-12 07:28:28 +0000
committer: Denys Haryachyy <garyachy@gmail.com> 2024-09-12 07:28:28 +0000
commit: 8e3c278bbcd0ced1d4058cc7a2c9aebdfbc8b651 (patch)
tree: 80a8bcc79747bf2a6831264e933f5158c2d1bc81 /nhrpd
parent: bf1fa1b2dfeebb4fefcf3655111f30a766b6bc6d (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/nhrpd/nhrp_peer.c b/nhrpd/nhrp_peer.c
index 3495317d4c..d2c1a8c401 100644
--- a/nhrpd/nhrp_peer.c
+++ b/nhrpd/nhrp_peer.c
@@ -597,6 +597,12 @@ static void nhrp_handle_resolution_req(struct nhrp_packet_parser *pp)
 				nhrp_ext_complete(zb, ext);
 			}
 			break;
+		case NHRP_EXTENSION_AUTHENTICATION:
+			/* Extensions can be copied from original packet except
+			 * authentication extension which must be regenerated
+			 * hop by hop.
+			 */
+			break;
 		default:
 			if (nhrp_ext_reply(zb, hdr, ifp, ext, &payload) < 0)
 				goto err;
author	Denys Haryachyy <garyachy@gmail.com>	2024-09-12 07:28:28 +0000
committer	Denys Haryachyy <garyachy@gmail.com>	2024-09-12 07:28:28 +0000
commit	8e3c278bbcd0ced1d4058cc7a2c9aebdfbc8b651 (patch)
tree	80a8bcc79747bf2a6831264e933f5158c2d1bc81 /nhrpd
parent	bf1fa1b2dfeebb4fefcf3655111f30a766b6bc6d (diff)