Gate request-side arp_store_neighbor in arp_recv on a matching arp_pending_match_and_clear so unsolicited ARP requests can no longer fill the neighbor cache and lock out legitimate replies, with test_arp_request_flood_does_not_lock_out_legit_reply as regression test.

gasbytes · gasbytes · commit 7d92e8b35af9 · 2026-04-30T12:14:32.000+02:00
Updated three pre-existing tests to model the now-required solicited-learn path.
diff --git a/src/test/unit/unit.c b/src/test/unit/unit.c
@@ -715,6 +715,7 @@ Suite *wolf_suite(void)
     tcase_add_test(tc_proto, test_arp_recv_null_stack);
     tcase_add_test(tc_proto, test_arp_recv_request_sends_reply);
     tcase_add_test(tc_proto, test_arp_recv_request_does_not_store_self_neighbor);
+    tcase_add_test(tc_proto, test_arp_request_flood_does_not_lock_out_legit_reply);
     tcase_add_test(tc_proto, test_arp_recv_request_no_send_fn);
     tcase_add_test(tc_proto, test_wolfip_if_for_local_ip_paths);
     tcase_add_test(tc_proto, test_wolfip_if_for_local_ip_null_found);
diff --git a/src/test/unit/unit_tests_proto.c b/src/test/unit/unit_tests_proto.c
@@ -2673,6 +2673,11 @@ START_TEST(test_arp_request_handling) {
     memcpy(arp_req.sma, req_mac, 6);
     arp_req.tip = ee32(device_ip);
 
+    /* Model a solicited learn: stack has an outstanding ARP request for
+     * req_ip, so the request handler is allowed to populate the cache. */
+    s.last_tick = 1000;
+    arp_pending_record(&s, TEST_PRIMARY_IF, req_ip);
+
     /* Call arp_recv with the ARP request */
     arp_recv(&s, TEST_PRIMARY_IF, &arp_req, sizeof(arp_req));
     wolfIP_poll(&s, 1000);
diff --git a/src/test/unit/unit_tests_tcp_ack.c b/src/test/unit/unit_tests_tcp_ack.c
@@ -2235,6 +2235,9 @@ START_TEST(test_arp_recv_request_does_not_store_self_neighbor)
     wolfIP_filter_set_callback(NULL, NULL);
     wolfIP_filter_set_mask(0);
 
+    s.last_tick = 1000;
+    arp_pending_record(&s, TEST_PRIMARY_IF, sender_ip);
+
     memset(&arp_req, 0, sizeof(arp_req));
     arp_req.htype = ee16(1);
     arp_req.ptype = ee16(0x0800);
@@ -2264,6 +2267,89 @@ START_TEST(test_arp_recv_request_does_not_store_self_neighbor)
 }
 END_TEST
 
+/* Regression: a same-LAN attacker that floods the ARP cache by sending
+ * MAX_NEIGHBORS ARP requests from distinct sender IP/MAC pairs targeting our
+ * IP must not lock out legitimate ARP replies for outstanding requests.
+ * arp_store_neighbor's silent-drop-when-full behaviour, combined with
+ * unconditional sender caching from the request branch of arp_recv, lets a
+ * flood deny resolution of any new peer until ARP_AGING_TIMEOUT_MS elapses. */
+START_TEST(test_arp_request_flood_does_not_lock_out_legit_reply)
+{
+    struct wolfIP s;
+    struct arp_packet arp_pkt;
+    struct wolfIP_ll_dev *ll;
+    struct ipconf *conf;
+    const ip4 our_ip = 0x0A000001U;
+    const ip4 legit_ip = 0x0A0000FEU;
+    const uint8_t legit_mac[6] = {0x02, 0xCA, 0xFE, 0xBA, 0xBE, 0x01};
+    uint8_t mac_out[6];
+    int i;
+
+    wolfIP_init(&s);
+    mock_link_init(&s);
+    wolfIP_ipconfig_set(&s, our_ip, 0xFFFFFF00U, 0);
+    wolfIP_filter_set_callback(NULL, NULL);
+    wolfIP_filter_set_mask(0);
+
+    ll = wolfIP_getdev_ex(&s, TEST_PRIMARY_IF);
+    conf = wolfIP_ipconf_at(&s, TEST_PRIMARY_IF);
+    s.last_tick = 1000;
+
+    /* Attacker floods MAX_NEIGHBORS ARP requests from distinct sender
+     * IP/MAC pairs, all targeting our IP. Each one passes the
+     * broadcast/multicast/zero/own-IP filter and so reaches
+     * arp_store_neighbor unconditionally. */
+    for (i = 0; i < MAX_NEIGHBORS; i++) {
+        uint8_t fake_mac[6] = {0xDE, 0xAD, 0xBE, 0xEF, 0x00,
+                               (uint8_t)(0x10 + i)};
+        ip4 fake_ip = (ip4)(0x0A000010U + (uint32_t)i);
+
+        memset(&arp_pkt, 0, sizeof(arp_pkt));
+        memcpy(arp_pkt.eth.dst, ll->mac, 6);
+        memcpy(arp_pkt.eth.src, fake_mac, 6);
+        arp_pkt.eth.type = ee16(ETH_TYPE_ARP);
+        arp_pkt.htype = ee16(1);
+        arp_pkt.ptype = ee16(0x0800);
+        arp_pkt.hlen = 6;
+        arp_pkt.plen = 4;
+        arp_pkt.opcode = ee16(ARP_REQUEST);
+        memcpy(arp_pkt.sma, fake_mac, 6);
+        arp_pkt.sip = ee32(fake_ip);
+        memset(arp_pkt.tma, 0, 6);
+        arp_pkt.tip = ee32(conf->ip);
+
+        s.last_tick += 1;
+        arp_recv(&s, TEST_PRIMARY_IF, &arp_pkt, sizeof(arp_pkt));
+    }
+
+    /* Stack issues a legitimate ARP request for legit_ip and then receives
+     * the matching reply. Caching this reply must succeed even with the
+     * neighbor table full of attacker-driven entries. */
+    s.last_tick += 1;
+    arp_pending_record(&s, TEST_PRIMARY_IF, legit_ip);
+
+    memset(&arp_pkt, 0, sizeof(arp_pkt));
+    memcpy(arp_pkt.eth.dst, ll->mac, 6);
+    memcpy(arp_pkt.eth.src, legit_mac, 6);
+    arp_pkt.eth.type = ee16(ETH_TYPE_ARP);
+    arp_pkt.htype = ee16(1);
+    arp_pkt.ptype = ee16(0x0800);
+    arp_pkt.hlen = 6;
+    arp_pkt.plen = 4;
+    arp_pkt.opcode = ee16(ARP_REPLY);
+    memcpy(arp_pkt.sma, legit_mac, 6);
+    arp_pkt.sip = ee32(legit_ip);
+    memcpy(arp_pkt.tma, ll->mac, 6);
+    arp_pkt.tip = ee32(conf->ip);
+
+    s.last_tick += 1;
+    arp_recv(&s, TEST_PRIMARY_IF, &arp_pkt, sizeof(arp_pkt));
+
+    ck_assert_int_eq(arp_lookup(&s, TEST_PRIMARY_IF, legit_ip, mac_out), 0);
+    ck_assert_mem_eq(mac_out, legit_mac, 6);
+}
+END_TEST
+
 START_TEST(test_send_ttl_exceeded_filter_drop)
 {
     struct wolfIP s;
@@ -2690,7 +2776,6 @@ START_TEST(test_arp_recv_filter_drop)
 
     arp_recv(&s, TEST_PRIMARY_IF, &arp_req, sizeof(arp_req));
     ck_assert_uint_eq(last_frame_sent_size, 0);
-    ck_assert_int_ne(s.arp.neighbors[0].ip, IPADDR_ANY);
 
     wolfIP_filter_set_callback(NULL, NULL);
     wolfIP_filter_set_eth_mask(0);
diff --git a/src/wolfip.c b/src/wolfip.c
@@ -8129,7 +8129,12 @@ static void arp_recv(struct wolfIP *s, unsigned int if_idx, void *buf, int len)
                 if (idx >= 0) {
                     if (memcmp(s->arp.neighbors[idx].mac, sender_mac, 6) == 0)
                         s->arp.neighbors[idx].ts = s->last_tick;
-                } else {
+                } else if (arp_pending_match_and_clear(s, if_idx, sip)) {
+                    /* Only learn from an unsolicited request when we have an
+                     * outstanding ARP request for this peer; otherwise a
+                     * same-LAN attacker can flood requests from distinct
+                     * sender IP/MAC pairs to exhaust the neighbor table and
+                     * lock out legitimate replies until ARP_AGING_TIMEOUT_MS. */
                     arp_store_neighbor(s, if_idx, sip, sender_mac);
                 }
             }

Original file line number	Diff line number	Diff line change
`@@ -8129,7 +8129,12 @@ static void arp_recv(struct wolfIP s, unsigned int if_idx, void buf, int len)`
`8129`	`8129`	`if (idx >= 0) {`
`8130`	`8130`	`if (memcmp(s->arp.neighbors[idx].mac, sender_mac, 6) == 0)`
`8131`	`8131`	`s->arp.neighbors[idx].ts = s->last_tick;`
`8132`		`- } else {`
	`8132`	`+ } else if (arp_pending_match_and_clear(s, if_idx, sip)) {`
	`8133`	`+ /* Only learn from an unsolicited request when we have an`
	`8134`	`+ * outstanding ARP request for this peer; otherwise a`
	`8135`	`+ * same-LAN attacker can flood requests from distinct`
	`8136`	`+ * sender IP/MAC pairs to exhaust the neighbor table and`
	`8137`	`+ * lock out legitimate replies until ARP_AGING_TIMEOUT_MS. */`
`8133`	`8138`	`arp_store_neighbor(s, if_idx, sip, sender_mac);`
`8134`	`8139`	`}`
`8135`	`8140`	`}`