summaryrefslogtreecommitdiff
path: root/accel-pppd/radius/dm_coa.c
diff options
context:
space:
mode:
authorDenys Fedoryshchenko <denys.f@collabora.com>2026-01-05 00:08:12 +0200
committerGitHub <noreply@github.com>2026-01-05 00:08:12 +0200
commitb199d14484e5b8d07dd6a1cd7b865dd84f09e73a (patch)
treed8b33fc2d803b5a9a911a81e628931b3d5a8478b /accel-pppd/radius/dm_coa.c
parentdd41ff523be4b88c70a3d36baa43914983721b63 (diff)
parent2550fe6cd9de9734cbc41179931fd029d8d132d6 (diff)
downloadaccel-ppp-b199d14484e5b8d07dd6a1cd7b865dd84f09e73a.tar.gz
accel-ppp-b199d14484e5b8d07dd6a1cd7b865dd84f09e73a.zip
Merge pull request #285 from nuclearcat/add-coa-security
radius: Implement DM/CoA security hardening by restricting source ips
Diffstat (limited to 'accel-pppd/radius/dm_coa.c')
-rw-r--r--accel-pppd/radius/dm_coa.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/accel-pppd/radius/dm_coa.c b/accel-pppd/radius/dm_coa.c
index 5f4220d1..df8cdf3e 100644
--- a/accel-pppd/radius/dm_coa.c
+++ b/accel-pppd/radius/dm_coa.c
@@ -267,6 +267,15 @@ static int dm_coa_read(struct triton_md_handler_t *h)
rad_packet_print(pack, NULL, log_debug);
}
+ if (rad_dae_src_check(addr.sin_addr.s_addr)) {
+ char ipbuf[INET_ADDRSTRLEN];
+ const char *ipstr;
+
+ ipstr = inet_ntop(AF_INET, &addr.sin_addr, ipbuf, sizeof(ipbuf));
+ log_warn("radius:dm_coa: source %s not allowed\n", ipstr ? ipstr : "unknown");
+ goto out_err_no_reply;
+ }
+
if (dm_coa_check_RA(pack, conf_dm_coa_secret)) {
log_warn("radius:dm_coa: RA validation failed\n");
goto out_err_no_reply;