Skip to content
Browse files

Drop packets forwarded via TCP if they are too big (CVE-2013-1428).

Normally all requests sent via the meta connections are checked so that they
cannot be larger than the input buffer. However, when packets are forwarded via
meta connections, they are copied into a packet buffer without checking whether
it fits into it. Since the packet buffer is allocated on the stack, this in
effect allows an authenticated remote node to cause a stack overflow.

This issue was found by Martin Schobert.
  • Loading branch information...
1 parent 85a8412 commit 17a33dfd95b1a29e90db76414eb9622df9632320 @gsliepen committed
Showing with 3 additions and 0 deletions.
  1. +3 −0 src/net_packet.c
View
3 src/net_packet.c
@@ -394,6 +394,9 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
void receive_tcppacket(connection_t *c, const char *buffer, int len) {
vpn_packet_t outpkt;
+ if(len > sizeof outpkt.data)
+ return;
+
outpkt.len = len;
if(c->options & OPTION_TCPONLY)
outpkt.priority = 0;

0 comments on commit 17a33df

Please sign in to comment.
Something went wrong with that request. Please try again.