From 7035340b213f3826d3d08c6081091806a175966c Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 26 Nov 2019 17:43:57 +0100
Subject: [PATCH] farp: Ignore SAs with 0.0.0.0/0 remote traffic selector

This is mostly to avoid hijacking the local LAN if the farp plugin is
inadvertently active on a roadwarrior.

Fixes #3116.
---
 src/libcharon/plugins/farp/farp_listener.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/libcharon/plugins/farp/farp_listener.c b/src/libcharon/plugins/farp/farp_listener.c
index 377dda366..a48ede26e 100644
--- a/src/libcharon/plugins/farp/farp_listener.c
+++ b/src/libcharon/plugins/farp/farp_listener.c
@@ -75,6 +75,8 @@ METHOD(listener_t, child_updown, bool,
 	enumerator_t *enumerator;
 	traffic_selector_t *ts;
 	entry_t *entry;
+	const chunk_t full_from = chunk_from_chars(0x00, 0x00, 0x00, 0x00),
+				  full_to   = chunk_from_chars(0xff, 0xff, 0xff, 0xff);
 
 	if (up)
 	{
@@ -91,6 +93,13 @@ METHOD(listener_t, child_updown, bool,
 			{
 				continue;
 			}
+			/* ignore 0.0.0.0/0 remote TS because we don't want to
+			 * reply to ARP requests for locally connected subnets */
+			if (chunk_equals(ts->get_from_address(ts), full_from) &&
+				chunk_equals(ts->get_to_address(ts), full_to))
+			{
+				continue;
+			}
 			entry->remote->insert_last(entry->remote, ts->clone(ts));
 		}
 		enumerator->destroy(enumerator);