7272
7373#ifdef HAVE_THREAD
7474
75+ #define TRACE_DEEP
76+ #ifdef TRACE_DEEP
77+ #define tr_deep tr_debug
78+ #else
79+ #define tr_deep (...)
80+ #endif
81+
7582typedef struct scan_query {
7683 int8_t coap_service_id ;
7784 uint8_t channel_mask [6 ]; //<!** first byte is channel page
@@ -395,19 +402,14 @@ static int thread_management_server_pending_get_respond(int8_t interface_id, int
395402static int thread_management_server_get_command_cb (int8_t service_id , uint8_t source_address [16 ], uint16_t source_port , sn_coap_hdr_s * request_ptr )
396403{
397404 (void ) source_port ;
405+ (void ) source_address ;
398406
399407 thread_management_server_t * this = thread_management_find_by_service (service_id );
400408
401409 if (!this ) {
402410 return -1 ;
403411 }
404412
405- if (!thread_management_server_source_address_check (this -> interface_id , source_address )) {
406- // request is coming from illegal address, return error immediately
407- coap_service_response_send (service_id , COAP_REQUEST_OPTIONS_NONE , request_ptr , COAP_MSG_CODE_RESPONSE_BAD_REQUEST , COAP_CT_OCTET_STREAM , NULL , 0 );
408- return 0 ;
409- }
410-
411413 return thread_management_server_tmf_get_request_handler (this -> interface_id , service_id , request_ptr );
412414
413415}
@@ -418,7 +420,6 @@ static int thread_management_server_commissioner_get_cb(int8_t service_id, uint8
418420 (void ) source_port ;
419421 protocol_interface_info_entry_t * cur ;
420422 thread_management_server_t * this = thread_management_find_by_service (service_id );
421- sn_coap_msg_code_e return_code = COAP_MSG_CODE_RESPONSE_CHANGED ;
422423 uint8_t response_msg [2 + 2 + 2 + 2 + 2 + 16 + 2 + 2 ];
423424 uint8_t * request_tlv_ptr = NULL ;
424425 uint16_t request_tlv_len ;
@@ -434,11 +435,6 @@ static int thread_management_server_commissioner_get_cb(int8_t service_id, uint8
434435 }
435436 payload_ptr = ptr = response_msg ;
436437
437- if (!thread_management_server_source_address_check (this -> interface_id , source_address )) {
438- return_code = COAP_MSG_CODE_RESPONSE_BAD_REQUEST ;
439- goto send_response ;
440- }
441-
442438 if (!cur -> thread_info -> registered_commissioner .commissioner_valid ) {
443439 //Error in message is responded with Thread status or if we have access rights problem
444440 tr_warn ("No registered commissioner" );
@@ -466,7 +462,7 @@ static int thread_management_server_commissioner_get_cb(int8_t service_id, uint8
466462 goto send_response ;
467463 }
468464send_response :
469- coap_service_response_send (this -> coap_service_id , COAP_REQUEST_OPTIONS_NONE , request_ptr , return_code , COAP_CT_OCTET_STREAM , payload_ptr , ptr - payload_ptr );
465+ coap_service_response_send (this -> coap_service_id , COAP_REQUEST_OPTIONS_NONE , request_ptr , COAP_MSG_CODE_RESPONSE_CHANGED , COAP_CT_OCTET_STREAM , payload_ptr , ptr - payload_ptr );
470466 return 0 ;
471467}
472468
@@ -1120,33 +1116,57 @@ static int thread_management_server_announce_begin_cb(int8_t service_id, uint8_t
11201116 return 0 ;
11211117}
11221118
1123- static int coap_msg_prevalidate_cb (int8_t interface_id , uint8_t source_address [static 16 ], uint16_t source_port , uint8_t local_address [static 16 ], uint16_t local_port , char * coap_uri )
1119+ static int coap_msg_prevalidate_cb (int8_t local_interface_id , uint8_t local_address [static 16 ], uint16_t local_port , int8_t recv_interface_id , uint8_t source_address [static 16 ], uint16_t source_port , char * coap_uri )
11241120{
1125- protocol_interface_info_entry_t * cur ;
1126- uint_fast8_t local_addr_scope ;
1121+ protocol_interface_info_entry_t * cur_local , * cur_source ;
1122+ uint_fast8_t addr_scope ;
11271123
11281124 (void ) source_address ;
11291125 (void ) source_port ;
11301126 (void ) coap_uri ;
11311127
1132- cur = protocol_stack_interface_info_get_by_id (interface_id );
1128+ cur_local = protocol_stack_interface_info_get_by_id (local_interface_id );
1129+
1130+ tr_debug ("coap_msg_prevalidate_cb %s to %s from %s to port %d" , coap_uri , trace_ipv6 (local_address ), trace_ipv6 (source_address ), local_port );
11331131
1134- if (!cur ) {
1135- tr_error ("No interface" );
1132+ if (!cur_local ) {
1133+ tr_error ("No interface for %d" , local_interface_id );
11361134 return -1 ;
11371135 }
11381136
11391137 if (local_port != THREAD_MANAGEMENT_PORT ) {
11401138 // Message not sent to THREAD_MANAGEMENT_PORT, let it come through
1139+ tr_deep ("Message %s port %d is not mgmt port" , coap_uri , local_port );
11411140 return 0 ;
11421141 }
11431142
1144- /* check our address scope */
1145- local_addr_scope = addr_ipv6_scope (local_address , cur );
1146- if (local_addr_scope > IPV6_SCOPE_REALM_LOCAL ) {
1143+ // check message source address
1144+ if (!thread_management_server_source_address_check (local_interface_id , source_address )) {
1145+ tr_deep ("Drop CoAP msg %s from %s" , coap_uri , trace_ipv6 (source_address ));
1146+ return 3 ;
1147+ }
1148+
1149+ /* check our local address scope */
1150+ addr_scope = addr_ipv6_scope (local_address , cur_local );
1151+ if (addr_scope > IPV6_SCOPE_REALM_LOCAL ) {
1152+ tr_deep ("Drop CoAP msg %s to %s due %d" , coap_uri , trace_ipv6 (local_address ), addr_scope );
11471153 return 1 ;
11481154 }
11491155
1156+ if (local_interface_id != recv_interface_id ) {
1157+ // message received from different interface
1158+ cur_source = protocol_stack_interface_info_get_by_id (recv_interface_id );
1159+ if (!cur_source ) {
1160+ tr_deep ("No cur for if %d" , recv_interface_id );
1161+ return -1 ;
1162+ }
1163+ addr_scope = addr_ipv6_scope (source_address , cur_source );
1164+ if (addr_scope < IPV6_SCOPE_REALM_LOCAL ) {
1165+ tr_deep ("Drop CoAP msg %s from %s to %s due %d" , coap_uri , trace_ipv6 (source_address ), trace_ipv6 (local_address ), addr_scope );
1166+ return 2 ;
1167+ }
1168+ }
1169+
11501170 return 0 ;
11511171}
11521172
@@ -1194,7 +1214,7 @@ int thread_management_server_init(int8_t interface_id)
11941214 ns_dyn_mem_free (this );
11951215 return -3 ;
11961216 }
1197- coap_service_msg_prevalidate_callback_set (this -> coap_service_id , coap_msg_prevalidate_cb );
1217+ coap_service_msg_prevalidate_callback_set (THREAD_MANAGEMENT_PORT , coap_msg_prevalidate_cb );
11981218#ifdef HAVE_THREAD_ROUTER
11991219 if (thread_leader_service_init (interface_id , this -> coap_service_id ) != 0 ) {
12001220 tr_error ("Thread leader service init failed" );
@@ -1587,10 +1607,15 @@ int thread_management_server_commisoner_data_get(int8_t interface_id, thread_man
15871607bool thread_management_server_source_address_check (int8_t interface_id , uint8_t source_address [16 ])
15881608{
15891609 link_configuration_s * linkConfiguration ;
1590- linkConfiguration = thread_joiner_application_get_config (interface_id );
15911610
1611+ if (memcmp (ADDR_LINK_LOCAL_PREFIX , source_address , 8 ) == 0 ) {
1612+ // Source address is from Link local address
1613+ return true;
1614+ }
1615+
1616+ linkConfiguration = thread_joiner_application_get_config (interface_id );
15921617 if (!linkConfiguration ) {
1593- tr_error ("No link configuration." );
1618+ tr_error ("No link cfg for if %d" , interface_id );
15941619 return false;
15951620 }
15961621
@@ -1599,15 +1624,12 @@ bool thread_management_server_source_address_check(int8_t interface_id, uint8_t
15991624 // Source address is RLOC or ALOC
16001625 } else if (memcmp (source_address , linkConfiguration -> mesh_local_ula_prefix , 8 ) == 0 ) {
16011626 // Source address is ML64 TODO this should check that destination address is ALOC or RLOC CoaP Service does not support
1602- } else if (memcmp (ADDR_LINK_LOCAL_PREFIX , source_address , 8 )) {
1603- // Source address is from Link local address
16041627 } else {
1605- tr_error ("Message out of thread network; ML prefix: %s, src addr: %s" ,
1628+ tr_deep ("Message out of thread network; ML prefix: %s, src addr: %s" ,
16061629 trace_ipv6_prefix (linkConfiguration -> mesh_local_ula_prefix , 64 ),
16071630 trace_ipv6 (source_address ));
16081631 return false;
16091632 }
1610- // TODO: Add other (security) related checks here
16111633
16121634 return true;
16131635}
0 commit comments