Mitigate ARP poisoning by preventing overwrite#58
Merged
gasbytes merged 5 commits intowolfSSL:masterfrom Mar 4, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens wolfIP’s ARP neighbor learning to mitigate ARP-table poisoning by preventing existing neighbor entries from being overwritten by unsolicited ARP traffic, while still allowing updates when an ARP reply corresponds to a recently-sent ARP request.
Changes:
- Add tracking for recently-issued ARP requests (pending requests with TTL) to distinguish solicited vs unsolicited ARP replies.
- Prevent ARP requests and unsolicited ARP replies from overwriting an existing neighbor cache entry.
- Add unit tests covering: no-overwrite on unsolicited reply, overwrite allowed when reply matches a pending request, and no-overwrite on ARP request.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/wolfip.c | Adds pending-request tracking and changes ARP neighbor update rules to block unsolicited overwrites. |
| src/test/unit/unit.c | Adds/adjusts ARP unit tests to validate the new overwrite-prevention behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
When receiving unsolicited ARP traffic, wolfIP accepts neighbors addresses. This prevents overwriting/poisoning ARP tables when an attacker is trying to impersonate an existing neighbor. For latency/performance optimizations, wolfIP is currently still populating the neighbor cache based on valid ARP requests from neighbors, if neighbors were not known.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
src/wolfip.c:5284
arp_pending_record()is called before the send filter check and before verifying the ARP request is actually transmitted. IfwolfIP_filter_notify_eth()blocks sending (orll->sendis NULL), a pending entry is still recorded and an attacker can then send a spoofed ARP reply within the TTL that will be treated as solicited and allowed to update/overwrite the neighbor entry. Move the pending record to only occur after the send filter passes (and ideally only when the request is actually sent).
arp.tip = ee32(tip);
arp_pending_record(s, if_idx, tip);
if (ll->send) {
if (wolfIP_filter_notify_eth(WOLFIP_FILT_SENDING, s, if_idx, &arp.eth,
sizeof(struct arp_packet)) != 0)
return;
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
gasbytes
reviewed
Mar 3, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (2)
src/wolfip.c:5299
arp_pending_record()is called before confirming the ARP request will actually be sent. Ifll->sendis NULL orwolfIP_filter_notify_eth()blocks the frame, the stack will still treat a later ARP reply as “pending” and allow a neighbor entry to be created/overwritten based on a request that never went out. Move the pending-recording to only occur after the filter allows the send (and only whenll->sendis non-NULL); ideally also avoid recording when the request is throttled/early-returned.
arp.tip = ee32(tip);
arp_pending_record(s, if_idx, tip);
if (ll->send) {
if (wolfIP_filter_notify_eth(WOLFIP_FILT_SENDING, s, if_idx, &arp.eth,
sizeof(struct arp_packet)) != 0)
return;
ll->send(ll, &arp, sizeof(struct arp_packet));
src/wolfip.c:5299
- The new “pending ARP request” tracking is security-sensitive, but the unit tests don’t currently cover the cases where an ARP request is not actually sent (e.g.
ll->send == NULLor the eth send filter drops it). Add tests to ensure no pending entry is recorded in those cases, so a forged ARP reply can’t be accepted as pending.
arp_pending_record(s, if_idx, tip);
if (ll->send) {
if (wolfIP_filter_notify_eth(WOLFIP_FILT_SENDING, s, if_idx, &arp.eth,
sizeof(struct arp_packet)) != 0)
return;
ll->send(ll, &arp, sizeof(struct arp_packet));
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
if the IP/MAC stay the same.
gasbytes
approved these changes
Mar 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When receiving unsolicited ARP traffic, wolfIP
accepts neighbors addresses. This prevents overwriting/poisoning ARP tables when an attacker is trying to impersonate an existing neighbor.
For latency/performance optimizations, wolfIP is currently still populating the neighbor cache based on valid ARP requests from neighbors, if neighbors were not known.
Fenrir/226
edit: after Copilot's review, I decided to add an aging mechanism to limit issues with renewal of neighbors records. Also added tests to check aging.