nhrpd: fixes duplicate auth extension

When an NHRP peer was forwarding a message, it was copying all extensions from the originally received packet. The authentication extension must be regenerated hop by hop per RFC2332. This fix checks for the auth extension when copying extensions and omits the original packet auth and instead regenerates a new auth extension. Fix bug #16507 Signed-off-by: Denys Haryachyy <garyachy@gmail.com>
2024-09-12 07:28:28 +00:00 · 2024-09-12 07:28:28 +00:00 · 8e3c278bbc
parent bf1fa1b2df
commit 8e3c278bbc
1 changed files with 6 additions and 0 deletions
--- a/nhrpd/nhrp_peer.c
+++ b/nhrpd/nhrp_peer.c
@ -597,6 +597,12 @@ static void nhrp_handle_resolution_req(struct nhrp_packet_parser *pp)
 				nhrp_ext_complete(zb, ext);
 			}
 			break;
+		case NHRP_EXTENSION_AUTHENTICATION:
+			/* Extensions can be copied from original packet except
+			 * authentication extension which must be regenerated
+			 * hop by hop.
+			 */
+			break;
 		default:
 			if (nhrp_ext_reply(zb, hdr, ifp, ext, &payload) < 0)
 				goto err;