From 2550fe6cd9de9734cbc41179931fd029d8d132d6 Mon Sep 17 00:00:00 2001 From: Denys Fedoryshchenko Date: Sun, 21 Dec 2025 10:44:22 +0200 Subject: radius: Implement DM/CoA security hardening by restricting source ip addresses Signed-off-by: Denys Fedoryshchenko --- accel-pppd/radius/dm_coa.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'accel-pppd/radius/dm_coa.c') diff --git a/accel-pppd/radius/dm_coa.c b/accel-pppd/radius/dm_coa.c index 5f4220d1..df8cdf3e 100644 --- a/accel-pppd/radius/dm_coa.c +++ b/accel-pppd/radius/dm_coa.c @@ -267,6 +267,15 @@ static int dm_coa_read(struct triton_md_handler_t *h) rad_packet_print(pack, NULL, log_debug); } + if (rad_dae_src_check(addr.sin_addr.s_addr)) { + char ipbuf[INET_ADDRSTRLEN]; + const char *ipstr; + + ipstr = inet_ntop(AF_INET, &addr.sin_addr, ipbuf, sizeof(ipbuf)); + log_warn("radius:dm_coa: source %s not allowed\n", ipstr ? ipstr : "unknown"); + goto out_err_no_reply; + } + if (dm_coa_check_RA(pack, conf_dm_coa_secret)) { log_warn("radius:dm_coa: RA validation failed\n"); goto out_err_no_reply; -- cgit v1.2.3