summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2010-03-04 13:55:29 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2010-03-04 13:55:29 +0000
commitafa44d03d4c65c1254e4f0c975443fc9c5cfe86d (patch)
tree8cd6f17d87d3bca67d27690214309639b7cb8d7b
parentbafd84483eca464a598c23c1c9d63b7f279915f9 (diff)
don't crash on invalid phase 2 IDs; from hshoexer; ok sthen@
-rw-r--r--sbin/isakmpd/ike_quick_mode.c34
-rw-r--r--sbin/isakmpd/ipsec.c14
2 files changed, 46 insertions, 2 deletions
diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c
index 677819acedd..5de7d70db4f 100644
--- a/sbin/isakmpd/ike_quick_mode.c
+++ b/sbin/isakmpd/ike_quick_mode.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_quick_mode.c,v 1.103 2009/11/13 22:07:59 deraadt Exp $ */
+/* $OpenBSD: ike_quick_mode.c,v 1.104 2010/03/04 13:55:28 markus Exp $ */
/* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $ */
/*
@@ -1080,6 +1080,22 @@ initiator_recv_HASH_SA_NONCE(struct message *msg)
if (kep)
ie->pfs = 1;
+ /* Drop message when it contains ID types we do not implement yet. */
+ TAILQ_FOREACH(idp, &msg->payload[ISAKMP_PAYLOAD_ID], link) {
+ switch (GET_ISAKMP_ID_TYPE(idp->p)) {
+ case IPSEC_ID_IPV4_ADDR:
+ case IPSEC_ID_IPV4_ADDR_SUBNET:
+ case IPSEC_ID_IPV6_ADDR:
+ case IPSEC_ID_IPV6_ADDR_SUBNET:
+ break;
+
+ default:
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION,
+ 0, 1, 0);
+ return -1;
+ }
+ }
+
/* Handle optional client ID payloads. */
idp = payload_first(msg, ISAKMP_PAYLOAD_ID);
if (idp) {
@@ -1507,6 +1523,22 @@ responder_recv_HASH_SA_NONCE(struct message *msg)
if (kep)
ie->pfs = 1;
+ /* Drop message when it contains ID types we do not implement yet. */
+ TAILQ_FOREACH(idp, &msg->payload[ISAKMP_PAYLOAD_ID], link) {
+ switch (GET_ISAKMP_ID_TYPE(idp->p)) {
+ case IPSEC_ID_IPV4_ADDR:
+ case IPSEC_ID_IPV4_ADDR_SUBNET:
+ case IPSEC_ID_IPV6_ADDR:
+ case IPSEC_ID_IPV6_ADDR_SUBNET:
+ break;
+
+ default:
+ message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION,
+ 0, 1, 0);
+ goto cleanup;
+ }
+ }
+
/* Handle optional client ID payloads. */
idp = payload_first(msg, ISAKMP_PAYLOAD_ID);
if (idp) {
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index 70e696a31ea..87ef6205ddb 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec.c,v 1.133 2010/01/10 12:39:43 markus Exp $ */
+/* $OpenBSD: ipsec.c,v 1.134 2010/03/04 13:55:28 markus Exp $ */
/* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */
/*
@@ -581,6 +581,7 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
case IPSEC_ID_IPV6_RANGE:
case IPSEC_ID_DER_ASN1_DN:
case IPSEC_ID_DER_ASN1_GN:
+ case IPSEC_ID_FQDN:
case IPSEC_ID_KEY_ID:
default:
log_print("ipsec_set_network: ID type %d (%s) not supported",
@@ -650,6 +651,17 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
isa->dst_mask->sa_family = AF_INET6;
isa->dst_mask->sa_len = sizeof(struct sockaddr_in6);
break;
+
+ case IPSEC_ID_IPV4_RANGE:
+ case IPSEC_ID_IPV6_RANGE:
+ case IPSEC_ID_DER_ASN1_DN:
+ case IPSEC_ID_DER_ASN1_GN:
+ case IPSEC_ID_FQDN:
+ case IPSEC_ID_KEY_ID:
+ default:
+ log_print("ipsec_set_network: ID type %d (%s) not supported",
+ id, constant_name(ipsec_id_cst, id));
+ return -1;
}
/* Net */