mirror of
https://github.com/zerotier/ZeroTierOne.git
synced 2025-06-06 12:33:44 +02:00
Do not allow VERB_RENDEZVOUS from non-upstream peers to block potential DOS vector.
This commit is contained in:
parent
aa6e3c79a0
commit
95953b48f9
3 changed files with 43 additions and 20 deletions
|
@ -461,21 +461,26 @@ bool IncomingPacket::_doWHOIS(const RuntimeEnvironment *RR,const SharedPtr<Peer>
|
||||||
bool IncomingPacket::_doRENDEZVOUS(const RuntimeEnvironment *RR,const SharedPtr<Peer> &peer)
|
bool IncomingPacket::_doRENDEZVOUS(const RuntimeEnvironment *RR,const SharedPtr<Peer> &peer)
|
||||||
{
|
{
|
||||||
try {
|
try {
|
||||||
const Address with(field(ZT_PROTO_VERB_RENDEZVOUS_IDX_ZTADDRESS,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH);
|
if (RR->topology->isUpstream(peer->identity())) {
|
||||||
const SharedPtr<Peer> withPeer(RR->topology->getPeer(with));
|
const Address with(field(ZT_PROTO_VERB_RENDEZVOUS_IDX_ZTADDRESS,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH);
|
||||||
if (withPeer) {
|
const SharedPtr<Peer> withPeer(RR->topology->getPeer(with));
|
||||||
const unsigned int port = at<uint16_t>(ZT_PROTO_VERB_RENDEZVOUS_IDX_PORT);
|
if (withPeer) {
|
||||||
const unsigned int addrlen = (*this)[ZT_PROTO_VERB_RENDEZVOUS_IDX_ADDRLEN];
|
const unsigned int port = at<uint16_t>(ZT_PROTO_VERB_RENDEZVOUS_IDX_PORT);
|
||||||
if ((port > 0)&&((addrlen == 4)||(addrlen == 16))) {
|
const unsigned int addrlen = (*this)[ZT_PROTO_VERB_RENDEZVOUS_IDX_ADDRLEN];
|
||||||
InetAddress atAddr(field(ZT_PROTO_VERB_RENDEZVOUS_IDX_ADDRESS,addrlen),addrlen,port);
|
if ((port > 0)&&((addrlen == 4)||(addrlen == 16))) {
|
||||||
TRACE("RENDEZVOUS from %s says %s might be at %s, starting NAT-t",peer->address().toString().c_str(),with.toString().c_str(),atAddr.toString().c_str());
|
InetAddress atAddr(field(ZT_PROTO_VERB_RENDEZVOUS_IDX_ADDRESS,addrlen),addrlen,port);
|
||||||
peer->received(RR,_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_RENDEZVOUS,0,Packet::VERB_NOP);
|
TRACE("RENDEZVOUS from %s says %s might be at %s, starting NAT-t",peer->address().toString().c_str(),with.toString().c_str(),atAddr.toString().c_str());
|
||||||
RR->sw->rendezvous(withPeer,_localAddress,atAddr);
|
peer->received(RR,_localAddress,_remoteAddress,hops(),packetId(),Packet::VERB_RENDEZVOUS,0,Packet::VERB_NOP);
|
||||||
|
RR->sw->rendezvous(withPeer,_localAddress,atAddr);
|
||||||
|
} else {
|
||||||
|
TRACE("dropped corrupt RENDEZVOUS from %s(%s) (bad address or port)",peer->address().toString().c_str(),_remoteAddress.toString().c_str());
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
TRACE("dropped corrupt RENDEZVOUS from %s(%s) (bad address or port)",peer->address().toString().c_str(),_remoteAddress.toString().c_str());
|
RR->sw->requestWhois(with);
|
||||||
|
TRACE("ignored RENDEZVOUS from %s(%s) to meet unknown peer %s",peer->address().toString().c_str(),_remoteAddress.toString().c_str(),with.toString().c_str());
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
TRACE("ignored RENDEZVOUS from %s(%s) to meet unknown peer %s",peer->address().toString().c_str(),_remoteAddress.toString().c_str(),with.toString().c_str());
|
TRACE("ignored RENDEZVOUS from %s(%s): not a root server or a network relay",peer->address().toString().c_str(),_remoteAddress.toString().c_str());
|
||||||
}
|
}
|
||||||
} catch ( ... ) {
|
} catch ( ... ) {
|
||||||
TRACE("dropped RENDEZVOUS from %s(%s): unexpected exception",peer->address().toString().c_str(),_remoteAddress.toString().c_str());
|
TRACE("dropped RENDEZVOUS from %s(%s): unexpected exception",peer->address().toString().c_str(),_remoteAddress.toString().c_str());
|
||||||
|
|
|
@ -29,6 +29,8 @@
|
||||||
#include "Topology.hpp"
|
#include "Topology.hpp"
|
||||||
#include "RuntimeEnvironment.hpp"
|
#include "RuntimeEnvironment.hpp"
|
||||||
#include "Node.hpp"
|
#include "Node.hpp"
|
||||||
|
#include "Network.hpp"
|
||||||
|
#include "NetworkConfig.hpp"
|
||||||
#include "Buffer.hpp"
|
#include "Buffer.hpp"
|
||||||
|
|
||||||
namespace ZeroTier {
|
namespace ZeroTier {
|
||||||
|
@ -283,6 +285,23 @@ keep_searching_for_roots:
|
||||||
return bestRoot;
|
return bestRoot;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool Topology::isUpstream(const Identity &id) const
|
||||||
|
{
|
||||||
|
if (isRoot(id))
|
||||||
|
return true;
|
||||||
|
std::vector< SharedPtr<Network> > nws(RR->node->allNetworks());
|
||||||
|
for(std::vector< SharedPtr<Network> >::const_iterator nw(nws.begin());nw!=nws.end();++nw) {
|
||||||
|
SharedPtr<NetworkConfig> nc((*nw)->config2());
|
||||||
|
if (nc) {
|
||||||
|
for(std::vector< std::pair<Address,InetAddress> >::const_iterator r(nc->relays().begin());r!=nc->relays().end();++r) {
|
||||||
|
if (r->first == id.address())
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
bool Topology::worldUpdateIfValid(const World &newWorld)
|
bool Topology::worldUpdateIfValid(const World &newWorld)
|
||||||
{
|
{
|
||||||
Mutex::Lock _l(_lock);
|
Mutex::Lock _l(_lock);
|
||||||
|
|
|
@ -136,16 +136,15 @@ public:
|
||||||
inline bool isRoot(const Identity &id) const
|
inline bool isRoot(const Identity &id) const
|
||||||
{
|
{
|
||||||
Mutex::Lock _l(_lock);
|
Mutex::Lock _l(_lock);
|
||||||
if (std::find(_rootAddresses.begin(),_rootAddresses.end(),id.address()) != _rootAddresses.end()) {
|
return (std::find(_rootAddresses.begin(),_rootAddresses.end(),id.address()) != _rootAddresses.end());
|
||||||
// Double check full identity for security reasons
|
|
||||||
for(std::vector<World::Root>::const_iterator r(_world.roots().begin());r!=_world.roots().end();++r) {
|
|
||||||
if (id == r->identity)
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param id Identity to check
|
||||||
|
* @return True if this is a root server or a network preferred relay from one of our networks
|
||||||
|
*/
|
||||||
|
bool isUpstream(const Identity &id) const;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return Vector of root server addresses
|
* @return Vector of root server addresses
|
||||||
*/
|
*/
|
||||||
|
|
Loading…
Add table
Reference in a new issue