summaryrefslogtreecommitdiff
path: root/sbin/isakmpd
diff options
context:
space:
mode:
authorHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2005-08-09 12:50:09 +0000
committerHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2005-08-09 12:50:09 +0000
commit42458dd3876612514ccca0f134b0fc74d9e0efe5 (patch)
treec6f0f08a629f6988c8919a3d553d306196326e2c /sbin/isakmpd
parent956a95cc59d443fe3288e258f8a7548ffdb69ac0 (diff)
Normalize attribute values before comparison. Unbreaks interop with netscreen.
Noticed by Sean Knox. Testing by msf@, Sean Knox and others. Thanks! ok cloder@ msf@
Diffstat (limited to 'sbin/isakmpd')
-rw-r--r--sbin/isakmpd/sa.c29
1 files changed, 27 insertions, 2 deletions
diff --git a/sbin/isakmpd/sa.c b/sbin/isakmpd/sa.c
index c7480eb9fbb..601b0c9360b 100644
--- a/sbin/isakmpd/sa.c
+++ b/sbin/isakmpd/sa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sa.c,v 1.100 2005/07/25 14:56:42 hshoexer Exp $ */
+/* $OpenBSD: sa.c,v 1.101 2005/08/09 12:50:08 hshoexer Exp $ */
/* $EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $ */
/*
@@ -896,6 +896,7 @@ sa_isakmp_upgrade(struct message *msg)
struct attr_validation_state {
u_int8_t *attrp[ATTRS_SIZE];
u_int8_t checked[ATTRS_SIZE];
+ u_int16_t len[ATTRS_SIZE];
int phase; /* IKE (1) or IPSEC (2) attrs? */
int mode; /* 0 = 'load', 1 = check */
};
@@ -905,6 +906,8 @@ static int
sa_validate_xf_attrs(u_int16_t type, u_int8_t *value, u_int16_t len,
void *arg)
{
+ int val0, val1;
+
struct attr_validation_state *avs =
(struct attr_validation_state *)arg;
@@ -925,6 +928,7 @@ sa_validate_xf_attrs(u_int16_t type, u_int8_t *value, u_int16_t len,
if (avs->mode == 0) { /* Load attrs. */
avs->attrp[type] = value;
+ avs->len[type] = len;
return 0;
}
/* Checking for a missing attribute is an immediate failure. */
@@ -933,7 +937,28 @@ sa_validate_xf_attrs(u_int16_t type, u_int8_t *value, u_int16_t len,
/* Match the loaded attribute against this one, mark it as checked. */
avs->checked[type]++;
- return memcmp(avs->attrp[type], value, len);
+ switch (len) {
+ case 2:
+ val0 = (int)decode_16(value);
+ break;
+ case 4:
+ val0 = (int)decode_32(value);
+ break;
+ default:
+ return 1;
+ }
+ switch (avs->len[type]) {
+ case 2:
+ val1 = (int)decode_16(avs->attrp[type]);
+ break;
+ case 4:
+ val1 = (int)decode_32(avs->attrp[type]);
+ break;
+ default:
+ return 1;
+ }
+ /* Return 0 when the values are equal. */
+ return (val0 != val1);
}
/*