summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
authorJonathan Gray <jsg@cvs.openbsd.org>2024-02-03 00:54:15 +0000
committerJonathan Gray <jsg@cvs.openbsd.org>2024-02-03 00:54:15 +0000
commita7dad71f2e0b9ea8cdc7b8c5502184340492b286 (patch)
treefe67779041caecb09ddcb20335266163cb4ee5d6 /sbin
parent2907916b1b1626168388ab094cbadae5e0ea03ff (diff)
fix off-by-one in bounds test
found by "buffer overflow 'peerxfs' 6 <= 6" smatch error tobhe@ had a remote peer attempt a transform type of 6 and it is caught by earlier checks before getting here. ok tobhe@
Diffstat (limited to 'sbin')
-rw-r--r--sbin/iked/policy.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c
index 1e39beac2ff..a9e783c82a4 100644
--- a/sbin/iked/policy.c
+++ b/sbin/iked/policy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: policy.c,v 1.97 2023/11/10 08:03:02 tobhe Exp $ */
+/* $OpenBSD: policy.c,v 1.98 2024/02/03 00:54:14 jsg Exp $ */
/*
* Copyright (c) 2020-2021 Tobias Heider <tobhe@openbsd.org>
@@ -1091,7 +1091,7 @@ proposals_match(struct iked_proposal *local, struct iked_proposal *peer,
for (i = 0; i < peer->prop_nxforms; i++) {
tpeer = peer->prop_xforms + i;
- if (tpeer->xform_type > IKEV2_XFORMTYPE_MAX)
+ if (tpeer->xform_type >= IKEV2_XFORMTYPE_MAX)
continue;
if (noauth && tpeer->xform_type == IKEV2_XFORMTYPE_INTEGR)
return (0);