diff options
| author | Martin Pieuchot <mpi@cvs.openbsd.org> | 2017-07-18 06:19:08 +0000 |
|---|---|---|
| committer | Martin Pieuchot <mpi@cvs.openbsd.org> | 2017-07-18 06:19:08 +0000 |
| commit | f9813a2b5d8e19eb1f37f0264a95ca78699e6206 (patch) | |
| tree | a61bcd63617154c2fc551af14b77d30c288cf788 /sbin | |
| parent | f1aedce45e5646b5a858a34522726d4028cadfb3 (diff) | |
Prevent a NULL dereference when comparing incomplete SAs.
This deference can occur because sa_find() is called from a timer and
iterates over all existing `sa'. At that time the corresponding
`finalize_exchange' might not have been called, in which case it is
unsafe to dereference `src_net', `dst_net' & co.
Issue reported by MichaÅ Koc. ok hshoexer@, markus@
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/isakmpd/ipsec.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c index 6980cfee9f3..a72a9c6cf90 100644 --- a/sbin/isakmpd/ipsec.c +++ b/sbin/isakmpd/ipsec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec.c,v 1.146 2015/12/10 17:27:00 mmcc Exp $ */ +/* $OpenBSD: ipsec.c,v 1.147 2017/07/18 06:19:07 mpi Exp $ */ /* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */ /* @@ -272,6 +272,15 @@ ipsec_sa_check_flow_any(struct sa *sa, void *v_arg) isa->dport != isa2->dport) return 0; + /* + * If at least one of the IPsec SAs is incomplete, we're done. + */ + if (isa->src_net == NULL || isa2->src_net == NULL || + isa->dst_net == NULL || isa2->dst_net == NULL || + isa->src_mask == NULL || isa2->src_mask == NULL || + isa->dst_mask == NULL || isa2->dst_mask == NULL) + return 0; + return isa->src_net->sa_family == isa2->src_net->sa_family && memcmp(sockaddr_addrdata(isa->src_net), sockaddr_addrdata(isa2->src_net), |