diff options
author | Markus Friedl <markus@cvs.openbsd.org> | 2010-03-04 13:55:29 +0000 |
---|---|---|
committer | Markus Friedl <markus@cvs.openbsd.org> | 2010-03-04 13:55:29 +0000 |
commit | afa44d03d4c65c1254e4f0c975443fc9c5cfe86d (patch) | |
tree | 8cd6f17d87d3bca67d27690214309639b7cb8d7b | |
parent | bafd84483eca464a598c23c1c9d63b7f279915f9 (diff) |
don't crash on invalid phase 2 IDs; from hshoexer; ok sthen@
-rw-r--r-- | sbin/isakmpd/ike_quick_mode.c | 34 | ||||
-rw-r--r-- | sbin/isakmpd/ipsec.c | 14 |
2 files changed, 46 insertions, 2 deletions
diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c index 677819acedd..5de7d70db4f 100644 --- a/sbin/isakmpd/ike_quick_mode.c +++ b/sbin/isakmpd/ike_quick_mode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_quick_mode.c,v 1.103 2009/11/13 22:07:59 deraadt Exp $ */ +/* $OpenBSD: ike_quick_mode.c,v 1.104 2010/03/04 13:55:28 markus Exp $ */ /* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $ */ /* @@ -1080,6 +1080,22 @@ initiator_recv_HASH_SA_NONCE(struct message *msg) if (kep) ie->pfs = 1; + /* Drop message when it contains ID types we do not implement yet. */ + TAILQ_FOREACH(idp, &msg->payload[ISAKMP_PAYLOAD_ID], link) { + switch (GET_ISAKMP_ID_TYPE(idp->p)) { + case IPSEC_ID_IPV4_ADDR: + case IPSEC_ID_IPV4_ADDR_SUBNET: + case IPSEC_ID_IPV6_ADDR: + case IPSEC_ID_IPV6_ADDR_SUBNET: + break; + + default: + message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, + 0, 1, 0); + return -1; + } + } + /* Handle optional client ID payloads. */ idp = payload_first(msg, ISAKMP_PAYLOAD_ID); if (idp) { @@ -1507,6 +1523,22 @@ responder_recv_HASH_SA_NONCE(struct message *msg) if (kep) ie->pfs = 1; + /* Drop message when it contains ID types we do not implement yet. */ + TAILQ_FOREACH(idp, &msg->payload[ISAKMP_PAYLOAD_ID], link) { + switch (GET_ISAKMP_ID_TYPE(idp->p)) { + case IPSEC_ID_IPV4_ADDR: + case IPSEC_ID_IPV4_ADDR_SUBNET: + case IPSEC_ID_IPV6_ADDR: + case IPSEC_ID_IPV6_ADDR_SUBNET: + break; + + default: + message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, + 0, 1, 0); + goto cleanup; + } + } + /* Handle optional client ID payloads. */ idp = payload_first(msg, ISAKMP_PAYLOAD_ID); if (idp) { diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c index 70e696a31ea..87ef6205ddb 100644 --- a/sbin/isakmpd/ipsec.c +++ b/sbin/isakmpd/ipsec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec.c,v 1.133 2010/01/10 12:39:43 markus Exp $ */ +/* $OpenBSD: ipsec.c,v 1.134 2010/03/04 13:55:28 markus Exp $ */ /* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */ /* @@ -581,6 +581,7 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) case IPSEC_ID_IPV6_RANGE: case IPSEC_ID_DER_ASN1_DN: case IPSEC_ID_DER_ASN1_GN: + case IPSEC_ID_FQDN: case IPSEC_ID_KEY_ID: default: log_print("ipsec_set_network: ID type %d (%s) not supported", @@ -650,6 +651,17 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) isa->dst_mask->sa_family = AF_INET6; isa->dst_mask->sa_len = sizeof(struct sockaddr_in6); break; + + case IPSEC_ID_IPV4_RANGE: + case IPSEC_ID_IPV6_RANGE: + case IPSEC_ID_DER_ASN1_DN: + case IPSEC_ID_DER_ASN1_GN: + case IPSEC_ID_FQDN: + case IPSEC_ID_KEY_ID: + default: + log_print("ipsec_set_network: ID type %d (%s) not supported", + id, constant_name(ipsec_id_cst, id)); + return -1; } /* Net */ |