[src/trunk]: src/crypto/dist/ipsec-tools Safety checks on informational messages

[manu <manu%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/5184d8deb6bc
branches:  trunk
changeset: 582957:5184d8deb6bc
user:      manu <manu%NetBSD.org@localhost>
date:      Tue Jul 12 14:13:10 2005 +0000

description:
Safety checks on informational messages

diffstat:

 crypto/dist/ipsec-tools/ChangeLog               |   4 ++++
 crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c |  24 +++++++++++++++++++++++-
 2 files changed, 27 insertions(+), 1 deletions(-)

diffs (63 lines):

diff -r 921b19d1b53f -r 5184d8deb6bc crypto/dist/ipsec-tools/ChangeLog
--- a/crypto/dist/ipsec-tools/ChangeLog Tue Jul 12 14:12:20 2005 +0000
+++ b/crypto/dist/ipsec-tools/ChangeLog Tue Jul 12 14:13:10 2005 +0000
@@ -1,3 +1,7 @@
+2005-07-04  Emmanuel Dreyfus  <manu%netbsd.org@localhost>
+
+       * src/racoon/isakmp_inf.c: safety checks on informational messages
+
 2005-07-01  Emmanuel Dreyfus  <manu%netbsd.org@localhost>
 
        From Uri <urimobile%optonline.net@localhost>
diff -r 921b19d1b53f -r 5184d8deb6bc crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c   Tue Jul 12 14:12:20 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c   Tue Jul 12 14:13:10 2005 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: isakmp_inf.c,v 1.4 2005/05/08 08:57:26 manu Exp $      */
+/*     $NetBSD: isakmp_inf.c,v 1.5 2005/07/12 14:13:10 manu Exp $      */
 
 /* Id: isakmp_inf.c,v 1.14.4.2 2005/03/02 20:00:03 vanhu Exp */
 
@@ -149,6 +149,14 @@
        } else
                msg = vdup(msg0);
 
+       /* Safety check */
+       if (msg->l < sizeof(*isakmp) + sizeof(*gen)) {
+               plog(LLV_ERROR, LOCATION, NULL, 
+                       "ignore information because the "
+                       "message is way too short\n");
+               goto end;
+       }
+
        isakmp = (struct isakmp *)msg->v;
        gen = (struct isakmp_gen *)((caddr_t)isakmp + sizeof(struct isakmp));
 
@@ -168,6 +176,14 @@
 
        {
                void *p;
+               /* Safety check */
+               if (msg->l < sizeof(*isakmp) + ntohs(gen->len) + sizeof(*nd)) {
+                       plog(LLV_ERROR, LOCATION, NULL, 
+                               "ignore information because the "
+                               "message is too short\n");
+                       goto end;
+               }
+
                vchar_t *hash, *payload;
                struct isakmp_gen *nd;
 
@@ -182,6 +198,12 @@
                        goto end;
                }
 
+               if (ntohs(nd->len) < sizeof(*nd)) {
+                       plog(LLV_ERROR, LOCATION, NULL,
+                               "too short payload length (broken message?)\n");
+                       goto end;
+               }
+
                payload = vmalloc(ntohs(nd->len));
                if (payload == NULL) {
                        plog(LLV_ERROR, LOCATION, NULL,