Add a martian + strict-RPF source filter to ip_recv's WOLFIP_ENABLE_FORWARDING

relay path so packets sourced from 127.0.0.0/8 on a non-loopback ingress,
169.254.0.0/16 link-local, or any locally-configured subnet on the wrong
interface are dropped before wolfIP_forward_interface, with
test_regression_forwarding_rpf_drops_spoofed_source pinning the contract.

Author: gasbytes

src/test/unit/unit.c

@@ -789,6 +789,7 @@ Suite *wolf_suite(void)
     tcase_add_test(tc_proto, test_forward_packet_ip_filter_drop);
     tcase_add_test(tc_proto, test_forward_packet_eth_filter_drop);
     tcase_add_test(tc_proto, test_loopback_dest_not_forwarded);
+    tcase_add_test(tc_proto, test_regression_forwarding_rpf_drops_spoofed_source);
     tcase_add_test(tc_proto, test_tcp_listen_rejects_wrong_interface);
     tcase_add_test(tc_proto, test_tcp_listen_accepts_bound_interface);
     tcase_add_test(tc_proto, test_tcp_listen_accepts_any_interface);

src/test/unit/unit_tests_proto.c

@@ -3762,6 +3762,57 @@ START_TEST(test_loopback_dest_not_forwarded)
 }
 END_TEST
 
+START_TEST(test_regression_forwarding_rpf_drops_spoofed_source)
+{
+    static const ip4 spoofed_sources[] = {
+        0x7F000001U, /* 127.0.0.1; loopback */
+        0xA9FE0001U, /* 169.254.0.1; link-local */
+        0xC0A80132U  /* 192.168.1.50; in TEST_SECOND_IF's subnet, wrong ingress */
+    };
+    unsigned int i;
+    uint8_t iface1_mac[6] = {0x02, 0x00, 0x00, 0x00, 0x00, 0x02};
+    uint8_t next_hop_mac[6] = {0x02, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE};
+    uint8_t src_mac[6] = {0x52, 0x54, 0x00, 0x12, 0x34, 0x56};
+    uint32_t dest_ip = 0xC0A80164U; /* 192.168.1.100; on TEST_SECOND_IF */
+
+    for (i = 0; i < sizeof(spoofed_sources) / sizeof(spoofed_sources[0]); i++) {
+        struct wolfIP s;
+        uint8_t frame_buf[64];
+        struct wolfIP_ip_packet *frame = (struct wolfIP_ip_packet *)frame_buf;
+
+        wolfIP_init(&s);
+        mock_link_init(&s);
+        mock_link_init_idx(&s, TEST_SECOND_IF, iface1_mac);
+        wolfIP_ipconfig_set(&s, 0xC0A80001U, 0xFFFFFF00U, 0);
+        wolfIP_ipconfig_set_ex(&s, TEST_SECOND_IF, 0xC0A80101U, 0xFFFFFF00U, 0);
+        s.arp.neighbors[0].ip = dest_ip;
+        s.arp.neighbors[0].if_idx = TEST_SECOND_IF;
+        memcpy(s.arp.neighbors[0].mac, next_hop_mac, 6);
+
+        memset(frame_buf, 0, sizeof(frame_buf));
+        memcpy(frame->eth.dst, s.ll_dev[TEST_PRIMARY_IF].mac, 6);
+        memcpy(frame->eth.src, src_mac, 6);
+        frame->eth.type = ee16(ETH_TYPE_IP);
+        frame->ver_ihl = 0x45;
+        frame->ttl = 64;
+        frame->proto = WI_IPPROTO_UDP;
+        frame->len = ee16(IP_HEADER_LEN);
+        frame->src = ee32(spoofed_sources[i]);
+        frame->dst = ee32(dest_ip);
+        frame->csum = 0;
+        iphdr_set_checksum(frame);
+
+        memset(last_frame_sent, 0, sizeof(last_frame_sent));
+        last_frame_sent_size = 0;
+
+        wolfIP_recv_ex(&s, TEST_PRIMARY_IF, frame,
+                       ETH_HEADER_LEN + IP_HEADER_LEN);
+
+        ck_assert_uint_eq(last_frame_sent_size, 0);
+    }
+}
+END_TEST
+
 /* wolfSSL IO glue tests */
 START_TEST(test_wolfssl_io_ctx_registers_callbacks)
 {

src/wolfip.c

@@ -8359,6 +8359,39 @@ static inline void ip_recv(struct wolfIP *s, unsigned int if_idx,
             }
         }
         if (!is_local) {
+            ip4 src = ee32(ip->src);
+            int rpf_drop = 0;
+
+            /* Martian source: 127.0.0.0/8 must not arrive on a non-loopback
+             * interface (and must never be forwarded). */
+            if ((src & WOLFIP_LOOPBACK_MASK) ==
+                    (WOLFIP_LOOPBACK_IP & WOLFIP_LOOPBACK_MASK) &&
+                    !wolfIP_is_loopback_if(if_idx)) {
+                rpf_drop = 1;
+            }
+            /* Martian source: 169.254.0.0/16 link-local is not routable. */
+            if (!rpf_drop && (src & 0xFFFF0000U) == 0xA9FE0000U) {
+                rpf_drop = 1;
+            }
+            /* Strict RPF: a source that belongs to some other configured
+             * interface's local subnet must not arrive on this one. */
+            if (!rpf_drop) {
+                for (i = 0; i < s->if_count; i++) {
+                    struct ipconf *conf = &s->ipconf[i];
+                    if (i == if_idx)
+                        continue;
+                    if (!conf || conf->ip == IPADDR_ANY)
+                        continue;
+                    if (ip_is_local_conf(conf, src)) {
+                        rpf_drop = 1;
+                        break;
+                    }
+                }
+            }
+            if (rpf_drop)
+                return;
+
+            {
             int out_if = wolfIP_forward_interface(s, if_idx, dest);
             if (out_if >= 0) {
                 uint8_t mac[6];
@@ -8381,6 +8414,7 @@ static inline void ip_recv(struct wolfIP *s, unsigned int if_idx,
                 wolfIP_forward_packet(s, out_if, ip, len, broadcast ? NULL : mac, broadcast);
                 return;
             }
+            }
         }
     }
 #endif /* WOLFIP_ENABLE_FORWARDING */