diff options
| author | Niels Provos <provos@cvs.openbsd.org> | 1998-05-05 08:54:51 +0000 |
|---|---|---|
| committer | Niels Provos <provos@cvs.openbsd.org> | 1998-05-05 08:54:51 +0000 |
| commit | 8aa8dff64b78dac3f5199e632c0f815bc37ff2a0 (patch) | |
| tree | 963390d7b13f6d80a4a1c83c5091bfb77b0c429b /sys | |
| parent | f2a13b7d4c036f163fa707c447123cdc51490d61 (diff) | |
check for invalid padding length, reported by Dan McDonald (Sun Microsystems)
<danmcd@eng.sun.com>
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/ip_esp_new.c | 24 | ||||
| -rw-r--r-- | sys/netinet/ip_esp_old.c | 16 |
2 files changed, 36 insertions, 4 deletions
diff --git a/sys/netinet/ip_esp_new.c b/sys/netinet/ip_esp_new.c index c361ab73853..db82e166ed0 100644 --- a/sys/netinet/ip_esp_new.c +++ b/sys/netinet/ip_esp_new.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp_new.c,v 1.17 1998/03/07 21:30:24 provos Exp $ */ +/* $OpenBSD: ip_esp_new.c,v 1.18 1998/05/05 08:54:48 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -555,7 +555,7 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) plen = m->m_pkthdr.len - (ip->ip_hl << 2) - 2 * sizeof(u_int32_t) - xd->edx_ivlen - alen; - if (plen & (blks - 1)) + if ((plen & (blks - 1)) || (plen <= 0)) { #ifdef ENCDEBUG if (encdebug) @@ -765,6 +765,16 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) if ((xd->edx_flags & ESP_NEW_FLAG_NPADDING) == 0) { + if (blk[6] + 2 + alen > m->m_pkthdr.len - (ip->ip_hl << 2) - 2 * sizeof(u_int32_t) - xd->edx_ivlen) + { +#ifdef ENCDEBUG + if (encdebug) + printf("esp_new_input(): invalid padding length %d for packet from %x to %x, SA %x/%08x\n", blk[6], ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); +#endif /* ENCDEBUG */ + espstat.esps_badilen++; + m_freem(m); + return NULL; + } if ((blk[6] != blk[5]) && (blk[6] != 0)) { if (encdebug) @@ -777,6 +787,16 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) } else { + if (blk[6] + 1 + alen > m->m_pkthdr.len - (ip->ip_hl << 2) - 2 * sizeof(u_int32_t) - xd->edx_ivlen) + { +#ifdef ENCDEBUG + if (encdebug) + printf("esp_new_input(): invalid padding length %d for packet from %x to %x, SA %x/%08x\n", blk[6], ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); +#endif /* ENCDEBUG */ + espstat.esps_badilen++; + m_freem(m); + return NULL; + } if (blk[6] == 0) { if (encdebug) diff --git a/sys/netinet/ip_esp_old.c b/sys/netinet/ip_esp_old.c index 2d294d1d3fb..485f70c4d3b 100644 --- a/sys/netinet/ip_esp_old.c +++ b/sys/netinet/ip_esp_old.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp_old.c,v 1.15 1998/03/07 21:30:26 provos Exp $ */ +/* $OpenBSD: ip_esp_old.c,v 1.16 1998/05/05 08:54:50 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -344,7 +344,7 @@ esp_old_input(struct mbuf *m, struct tdb *tdb) /* Skip the IP header, IP options, SPI and IV */ plen = m->m_pkthdr.len - (ip->ip_hl << 2) - sizeof(u_int32_t) - xd->edx_ivlen; - if (plen & (blks - 1)) + if ((plen & (blks - 1)) || (plen <= 0)) { #ifdef ENCDEBUG if (encdebug) @@ -497,6 +497,18 @@ esp_old_input(struct mbuf *m, struct tdb *tdb) * We cannot verify the decryption here (as in ip_esp_new.c), since * the padding may be random. */ + + if (blk[6] + 2 > m->m_pkthdr.len - (ip->ip_hl << 2) - sizeof(u_int32_t) - + xd->edx_ivlen) + { +#ifdef ENCDEBUG + if (encdebug) + printf("esp_old_input(): invalid padding length %d for packet from %x to %x, SA %x/%08x\n", blk[6], ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); +#endif /* ENCDEBUG */ + espstat.esps_badilen++; + m_freem(m); + return NULL; + } m_adj(m, -blk[6] - 2); m_adj(m, 4 + xd->edx_ivlen); |