Drop outbound packets with unexpected source IP for split tunnel

author: David Lönnhager <david.l@mullvad.net> 2024-08-19 13:40:54 +0200
committer: David Lönnhager <david.l@mullvad.net> 2024-08-20 12:03:05 +0200
commit: 440efe9212f584826566fbce3f75a297dfa3d5c5 (patch)
tree: 3613946cb5ed8bc3afc41e39527bfaa3089f9bc3
parent: fa78481826f4b39af78931abde28bbdc4350809c (diff)
download: mullvadvpn-440efe9212f584826566fbce3f75a297dfa3d5c5.tar.xz
mullvadvpn-440efe9212f584826566fbce3f75a297dfa3d5c5.zip
1 files changed, 28 insertions, 0 deletions
diff --git a/talpid-core/src/split_tunnel/macos/tun.rs b/talpid-core/src/split_tunnel/macos/tun.rs
index ba810f858e..db078a389b 100644
--- a/talpid-core/src/split_tunnel/macos/tun.rs
+++ b/talpid-core/src/split_tunnel/macos/tun.rs
@@ -527,6 +527,16 @@ fn classify_and_send(
                     log::error!("dropping invalid IPv4 packet");
                     return;
                 };
+                if let Some(vpn_v4) = vpn_interface.and_then(|iface| iface.0.v4_address) {
+                    let src_ip = ip.get_source();
+                    if src_ip != vpn_v4 && src_ip != addrs.source_ip {
+                        // Drop packet from invalid source
+                        return;
+                    }
+                } else if ip.get_source() != addrs.source_ip {
+                    // Drop packet from invalid source
+                    return;
+                }
                 fix_ipv4_checksums(&mut ip, Some(addrs.source_ip), None);
                 if let Err(error) = default_write.write(packet.frame.packet()) {
                     log::error!("Failed to forward to default device: {error}");
@@ -544,6 +554,16 @@ fn classify_and_send(
                     log::error!("dropping invalid IPv6 packet");
                     return;
                 };
+                if let Some(vpn_v6) = vpn_interface.and_then(|iface| iface.0.v6_address) {
+                    let src_ip = ip.get_source();
+                    if src_ip != vpn_v6 && src_ip != addrs.source_ip {
+                        // Drop packet from invalid source
+                        return;
+                    }
+                } else if ip.get_source() != addrs.source_ip {
+                    // Drop packet from invalid source
+                    return;
+                }
                 fix_ipv6_checksums(&mut ip, Some(addrs.source_ip), None);
                 if let Err(error) = default_write.write(packet.frame.packet()) {
                     log::error!("Failed to forward to default device: {error}");
@@ -567,6 +587,10 @@ fn classify_and_send(
                         log::error!("dropping invalid IPv4 packet");
                         return;
                     };
+                    if ip.get_source() != addr {
+                        // Drop packet from invalid source
+                        return;
+                    }
                     fix_ipv4_checksums(&mut ip, Some(addr), None);
                     if let Err(error) = vpn_write.write(packet.frame.payload()) {
                         log::trace!(
@@ -584,6 +608,10 @@ fn classify_and_send(
                         log::error!("dropping invalid IPv6 packet");
                         return;
                     };
+                    if ip.get_source() != addr {
+                        // Drop packet from invalid source
+                        return;
+                    }
                     fix_ipv6_checksums(&mut ip, Some(addr), None);
                     if let Err(error) = vpn_write.write(packet.frame.payload()) {
                         log::trace!(
author	David Lönnhager <david.l@mullvad.net>	2024-08-19 13:40:54 +0200
committer	David Lönnhager <david.l@mullvad.net>	2024-08-20 12:03:05 +0200
commit	440efe9212f584826566fbce3f75a297dfa3d5c5 (patch)
tree	3613946cb5ed8bc3afc41e39527bfaa3089f9bc3
parent	fa78481826f4b39af78931abde28bbdc4350809c (diff)
download	mullvadvpn-440efe9212f584826566fbce3f75a297dfa3d5c5.tar.xz mullvadvpn-440efe9212f584826566fbce3f75a297dfa3d5c5.zip