Reject gateway search responses that spoof IP in message body

If the response contains an url pointing to the different IP than the
one from which the response was received, reject such response.

Author: tomaszklak

Cargo.toml

@@ -33,6 +33,7 @@ version = "0.14"
 
 [dev-dependencies]
 simplelog = "0.9"
+test-log = "0.2"
 tokio = {version = "1", features = ["full"]}
 
 [features]

src/aio/search.rs

@@ -24,6 +24,37 @@ pub async fn search_gateway(options: SearchOptions) -> Result<Gateway, SearchErr
 
     let (addr, root_url) = handle_broadcast_resp(&from, &response_body)?;
 
+    match (&from, &addr) {
+        (SocketAddr::V4(src_ip), SocketAddr::V4(url_ip)) => {
+            if src_ip.ip() != url_ip.ip() {
+                return Err(SearchError::SpoofedIp {
+                    src_ip: (*src_ip.ip()).into(),
+                    url_ip: (*url_ip.ip()).into(),
+                });
+            }
+        }
+        (SocketAddr::V6(src_ip), SocketAddr::V6(url_ip)) => {
+            if src_ip.ip() != url_ip.ip() {
+                return Err(SearchError::SpoofedIp {
+                    src_ip: (*src_ip.ip()).into(),
+                    url_ip: (*url_ip.ip()).into(),
+                });
+            }
+        }
+        (SocketAddr::V6(src_ip), SocketAddr::V4(url_ip)) => {
+            return Err(SearchError::SpoofedIp {
+                src_ip: (*src_ip.ip()).into(),
+                url_ip: (*url_ip.ip()).into(),
+            })
+        }
+        (SocketAddr::V4(src_ip), SocketAddr::V6(url_ip)) => {
+            return Err(SearchError::SpoofedIp {
+                src_ip: (*src_ip.ip()).into(),
+                url_ip: (*url_ip.ip()).into(),
+            })
+        }
+    }
+
     let (control_schema_url, control_url) =
         run_with_timeout(options.http_timeout, get_control_urls(&addr, &root_url)).await??;
     let control_schema =
@@ -126,3 +157,47 @@ async fn get_control_schemas(
     let c = std::io::Cursor::new(&resp);
     parsing::parse_schemas(c)
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::{
+        net::{Ipv4Addr, SocketAddrV4},
+        time::Duration,
+    };
+    use test_log::test;
+
+    #[test(tokio::test)]
+    async fn ip_spoofing_in_broadcast_response() {
+        let port = {
+            // Not 100% reliable way to find a free port number, but should be good enough
+            let sock = UdpSocket::bind((Ipv4Addr::UNSPECIFIED, 0)).await.unwrap();
+            sock.local_addr().unwrap().port()
+        };
+
+        let options = SearchOptions {
+            bind_addr: SocketAddr::V4(SocketAddrV4::new(Ipv4Addr::UNSPECIFIED, port)),
+            timeout: Some(Duration::from_secs(5)),
+            http_timeout: Some(Duration::from_secs(1)),
+            ..Default::default()
+        };
+
+        tokio::spawn(async move {
+            tokio::time::sleep(Duration::from_secs(1)).await;
+
+            let sock = UdpSocket::bind((Ipv4Addr::LOCALHOST, 0)).await.unwrap();
+
+            sock.send_to(b"location: http://1.2.3.4:5/test", (Ipv4Addr::LOCALHOST, port))
+                .await
+                .unwrap();
+        });
+
+        let result = search_gateway(options).await;
+        if let Err(SearchError::SpoofedIp { src_ip, url_ip }) = result {
+            assert_eq!(src_ip, Ipv4Addr::LOCALHOST);
+            assert_eq!(url_ip, Ipv4Addr::new(1, 2, 3, 4));
+        } else {
+            panic!("Unexpected result: {result:?}");
+        }
+    }
+}

src/errors.rs

@@ -1,6 +1,7 @@
 use std::error;
 use std::fmt;
 use std::io;
+use std::net::IpAddr;
 use std::str;
 #[cfg(feature = "aio")]
 use std::string::FromUtf8Error;
@@ -313,6 +314,13 @@ pub enum SearchError {
     /// Error parsing URI
     #[cfg(feature = "aio")]
     InvalidUri(hyper::http::uri::InvalidUri),
+    /// Ip spoofing detected error
+    SpoofedIp {
+        /// The IP from which packet was actually received
+        src_ip: IpAddr,
+        /// The IP which the receiving packet pretended to be from
+        url_ip: IpAddr,
+    },
 }
 
 impl From<attohttpc::Error> for SearchError {
@@ -371,6 +379,7 @@ impl fmt::Display for SearchError {
             SearchError::HyperError(ref e) => write!(f, "Hyper Error: {}", e),
             #[cfg(feature = "aio")]
             SearchError::InvalidUri(ref e) => write!(f, "InvalidUri Error: {}", e),
+            SearchError::SpoofedIp { src_ip, url_ip } => write!(f, "Spoofed IP from {src_ip} spoofed as {url_ip}"),
         }
     }
 }
@@ -387,6 +396,7 @@ impl error::Error for SearchError {
             SearchError::HyperError(ref e) => Some(e),
             #[cfg(feature = "aio")]
             SearchError::InvalidUri(ref e) => Some(e),
+            SearchError::SpoofedIp { .. } => None,
         }
     }
 }