Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

drop packet if it looks to be truncated/length field is bogus.

be sure to dummy read the packet if memory allocation is failed.

XXX more sanity check
  • Loading branch information...
commit 74730a13261b5eee719b42287aee04cb581724bc 1 parent f926336
itojun authored
Showing with 22 additions and 2 deletions.
  1. +22 −2 kame/kame/racoon/isakmp.c
24 kame/kame/racoon/isakmp.c
View
@@ -1,4 +1,4 @@
-/* $KAME: isakmp.c,v 1.110 2000/11/09 06:28:03 sakane Exp $ */
+/* $KAME: isakmp.c,v 1.111 2000/12/10 09:16:37 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -172,7 +172,21 @@ isakmp_handler(so_isakmp)
/* check isakmp header length */
if (len < sizeof(isakmp)) {
plog(logp, LOCATION, (struct sockaddr *)&remote,
- "received invalid header length.\n");
+ "packet shorter than isakmp header size.\n");
+ /* dummy receive */
+ if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
+ 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
+ plog(logp, LOCATION, NULL,
+ "failed to receive isakmp packet\n");
+ }
+ goto end;
+ }
+
+ /* check bogus length */
+ if (ntohl(isakmp.len) > len) {
+ plog(logp, LOCATION, (struct sockaddr *)&remote,
+ "packet shorter than isakmp header length field.\n");
+ /* dummy receive */
if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
0, (struct sockaddr *)&remote, &remote_len)) < 0) {
plog(logp, LOCATION, NULL,
@@ -185,6 +199,12 @@ isakmp_handler(so_isakmp)
if ((buf = vmalloc(ntohl(isakmp.len))) == NULL) {
plog(logp, LOCATION, NULL,
"failed to allocate reading buffer\n");
+ /* dummy receive */
+ if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
+ 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
+ plog(logp, LOCATION, NULL,
+ "failed to receive isakmp packet\n");
+ }
goto end;
}
Please sign in to comment.
Something went wrong with that request. Please try again.