From 7a008c21ee7f40afa81179a472b91c0c16a8118c Mon Sep 17 00:00:00 2001
From: Richard Holland <richard.holland@starstone.co.nz>
Date: Thu, 16 Feb 2023 13:54:36 +0000
Subject: [PATCH] enforce network ID on peer handshake

---
 src/ripple/overlay/impl/Handshake.cpp | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/ripple/overlay/impl/Handshake.cpp b/src/ripple/overlay/impl/Handshake.cpp
index 793dec19e..040bb1ddf 100644
--- a/src/ripple/overlay/impl/Handshake.cpp
+++ b/src/ripple/overlay/impl/Handshake.cpp
@@ -237,14 +237,17 @@ verifyHandshake(
             throw std::runtime_error("Invalid server domain");
     }
 
-    if (auto const iter = headers.find("Network-ID"); iter != headers.end())
+    // Check the network. Omitting Network-ID (on either side ours, or theirs) means NID=0
     {
-        std::uint32_t nid;
+        uint32_t peer_nid = 0;
+        if (auto const iter = headers.find("Network-ID"); iter != headers.end())
+        {
+            if (!beast::lexicalCastChecked(peer_nid, iter->value().to_string()))
+                throw std::runtime_error("Invalid peer network identifier");
+        }
 
-        if (!beast::lexicalCastChecked(nid, iter->value().to_string()))
-            throw std::runtime_error("Invalid peer network identifier");
-
-        if (networkID && nid != *networkID)
+        uint32_t our_nid = networkID ? *networkID : 0;
+        if (peer_nid != our_nid)
             throw std::runtime_error("Peer is on a different network");
     }