Fix duplicate address detection

The current code compares the target IP of an ARP reply packet with the srcaddr/sender IP of the request packet. Instead it should compare the source IP of the ARP reply with the destaddr/target IP of the request packet. In addition, this adds the check for ARP requests with the same IP address in case other systems are probing for the same IP at the same time as per the recommendation in RFC 5227. This is related to #6133.
netblue30 · Jan 16, 2024 · 35a8a53 · 35a8a53
1 parent ae8f62d
commit 35a8a53
Showing 1 changed file with 18 additions and 7 deletions.
diff --git a/src/firejail/arp.c b/src/firejail/arp.c
@@ -230,15 +230,26 @@ int arp_check(const char *dev, uint32_t destaddr) {
  if (framerx[12] != (ETH_P_ARP / 256) || framerx[13] != (ETH_P_ARP % 256))
  continue;
  memcpy(&hdr, framerx + 14, sizeof(ArpHdr));
- if (hdr.opcode == htons(1))
- continue;
- if (hdr.opcode == htons(2)) {
- // check my mac and my address
- if (memcmp(ifr.ifr_hwaddr.sa_data, hdr.target_mac, 6) != 0)
- continue;
+ if (hdr.opcode == htons(1)) {
+ // request, check if someone else is probing the same IP
+ if (memcmp(ifr.ifr_hwaddr.sa_data, hdr.sender_mac, 6) == 0)
+ continue; // it was our own probe, ignore it
+
  uint32_t ip;
  memcpy(&ip, hdr.target_ip, 4);
- if (ip != srcaddr) {
+ if (ip != destaddr) {
+ continue;
+ }
+ close(sock);
+ return -1;
+ }
+ if (hdr.opcode == htons(2)) {
+ // reply, check if someone else has the address we are probing for
+ /*if (memcmp(ifr.ifr_hwaddr.sa_data, hdr.target_mac, 6) != 0)
+ continue;*/
+ uint32_t ip;
+ memcpy(&ip, hdr.sender_ip, 4);
+ if (ip != destaddr) {
  continue;
  }
  close(sock);