From 57835b912e511e526625dab1b3decb4161504301 Mon Sep 17 00:00:00 2001
From: Denys Haryachyy <garyachy@gmail.com>
Date: Thu, 12 Sep 2024 07:28:28 +0000
Subject: [PATCH] nhrpd: fixes duplicate auth extension

When an NHRP peer was forwarding a message, it was copying all
extensions from the originally received packet. The authentication
extension must be regenerated hop by hop per RFC2332.
This fix checks for the auth extension when copying extensions
and omits the original packet auth and instead regenerates a new auth extension.

Fix bug #16507

Signed-off-by: Denys Haryachyy <garyachy@gmail.com>
(cherry picked from commit 8e3c278bbcd0ced1d4058cc7a2c9aebdfbc8b651)
---
 nhrpd/nhrp_peer.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nhrpd/nhrp_peer.c b/nhrpd/nhrp_peer.c
index 6e7857c777a0..1e149a1674a4 100644
--- a/nhrpd/nhrp_peer.c
+++ b/nhrpd/nhrp_peer.c
@@ -597,6 +597,12 @@ static void nhrp_handle_resolution_req(struct nhrp_packet_parser *pp)
 				nhrp_ext_complete(zb, ext);
 			}
 			break;
+		case NHRP_EXTENSION_AUTHENTICATION:
+			/* Extensions can be copied from original packet except
+			 * authentication extension which must be regenerated
+			 * hop by hop.
+			 */
+			break;
 		default:
 			if (nhrp_ext_reply(zb, hdr, ifp, ext, &payload) < 0)
 				goto err;