Skip to content

Commit 17a33df

Browse files
committed
Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
Normally all requests sent via the meta connections are checked so that they cannot be larger than the input buffer. However, when packets are forwarded via meta connections, they are copied into a packet buffer without checking whether it fits into it. Since the packet buffer is allocated on the stack, this in effect allows an authenticated remote node to cause a stack overflow. This issue was found by Martin Schobert.
1 parent 85a8412 commit 17a33df

File tree

1 file changed

+3
-0
lines changed

1 file changed

+3
-0
lines changed

Diff for: src/net_packet.c

+3
Original file line numberDiff line numberDiff line change
@@ -394,6 +394,9 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
394394
void receive_tcppacket(connection_t *c, const char *buffer, int len) {
395395
vpn_packet_t outpkt;
396396

397+
if(len > sizeof outpkt.data)
398+
return;
399+
397400
outpkt.len = len;
398401
if(c->options & OPTION_TCPONLY)
399402
outpkt.priority = 0;

0 commit comments

Comments
 (0)