Skip to content
Permalink
Browse files Browse the repository at this point in the history
Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
Normally all requests sent via the meta connections are checked so that they
cannot be larger than the input buffer. However, when packets are forwarded via
meta connections, they are copied into a packet buffer without checking whether
it fits into it. Since the packet buffer is allocated on the stack, this in
effect allows an authenticated remote node to cause a stack overflow.

This issue was found by Martin Schobert.
  • Loading branch information
gsliepen committed Apr 12, 2013
1 parent 85a8412 commit 17a33df
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions src/net_packet.c
Expand Up @@ -394,6 +394,9 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
void receive_tcppacket(connection_t *c, const char *buffer, int len) {
vpn_packet_t outpkt;

if(len > sizeof outpkt.data)
return;

outpkt.len = len;
if(c->options & OPTION_TCPONLY)
outpkt.priority = 0;
Expand Down

0 comments on commit 17a33df

Please sign in to comment.