charon-tkm: Validate DH public key to fix potential buffer overflow

Seems this was forgotten in the referenced commit and actually could lead to a buffer overflow. Since charon-tkm is untrusted this isn't that much of an issue but could at least be easily exploited for a DoS attack as DH public values are set when handling IKE_SA_INIT requests. Fixes: 0356089 ("diffie-hellman: Verify public DH values in backends") Fixes: CVE-2023-41913
strongswan · Nov 17, 2023 · 96d7937 · 96d7937
1 parent 74ae71d
commit 96d7937
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool,
 	return TRUE;
 }
 
-
 METHOD(key_exchange_t, set_public_key, bool,
 	private_tkm_diffie_hellman_t *this, chunk_t value)
 {
 	dh_pubvalue_type othervalue;
+
+	if (!key_exchange_verify_pubkey(this->group, value) ||
+		value.len > sizeof(othervalue.data))
+	{
+		return FALSE;
+	}
 	othervalue.size = value.len;
 	memcpy(&othervalue.data, value.ptr, value.len);