[src/netbsd-3]: src/crypto/dist/ipsec-tools/src/racoon Pull up revision 1.5 (...

[tron <tron%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/4fc0e906ae09
branches:  netbsd-3
changeset: 576603:4fc0e906ae09
user:      tron <tron%NetBSD.org@localhost>
date:      Tue Jul 12 17:31:25 2005 +0000

description:
Pull up revision 1.5 (requested by manu in ticket #579):
Safety checks on informational messages

diffstat:

 crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c |  24 +++++++++++++++++++++++-
 1 files changed, 23 insertions(+), 1 deletions(-)

diffs (52 lines):

diff -r 7aee71f52d7e -r 4fc0e906ae09 crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c   Tue Jul 12 17:30:08 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c   Tue Jul 12 17:31:25 2005 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: isakmp_inf.c,v 1.1.1.3.2.3 2005/05/11 12:17:19 tron Exp $      */
+/*     $NetBSD: isakmp_inf.c,v 1.1.1.3.2.4 2005/07/12 17:31:25 tron Exp $      */
 
 /* Id: isakmp_inf.c,v 1.14.4.2 2005/03/02 20:00:03 vanhu Exp */
 
@@ -149,6 +149,14 @@
        } else
                msg = vdup(msg0);
 
+       /* Safety check */
+       if (msg->l < sizeof(*isakmp) + sizeof(*gen)) {
+               plog(LLV_ERROR, LOCATION, NULL, 
+                       "ignore information because the "
+                       "message is way too short\n");
+               goto end;
+       }
+
        isakmp = (struct isakmp *)msg->v;
        gen = (struct isakmp_gen *)((caddr_t)isakmp + sizeof(struct isakmp));
 
@@ -168,6 +176,14 @@
 
        {
                void *p;
+               /* Safety check */
+               if (msg->l < sizeof(*isakmp) + ntohs(gen->len) + sizeof(*nd)) {
+                       plog(LLV_ERROR, LOCATION, NULL, 
+                               "ignore information because the "
+                               "message is too short\n");
+                       goto end;
+               }
+
                vchar_t *hash, *payload;
                struct isakmp_gen *nd;
 
@@ -182,6 +198,12 @@
                        goto end;
                }
 
+               if (ntohs(nd->len) < sizeof(*nd)) {
+                       plog(LLV_ERROR, LOCATION, NULL,
+                               "too short payload length (broken message?)\n");
+                       goto end;
+               }
+
                payload = vmalloc(ntohs(nd->len));
                if (payload == NULL) {
                        plog(LLV_ERROR, LOCATION, NULL,