Skip to content
Permalink
Browse files
CVE-2013-6466 fix: Integrated fix from Steve Lanser
  • Loading branch information
Jehreg committed Jan 27, 2014
1 parent 8e7542b commit d558afa70bcaee9bbe4008ab1a82e944e54950be
Showing with 29 additions and 0 deletions.
  1. +29 −0 programs/pluto/ikev2_parent.c
@@ -626,6 +626,24 @@ stf_status ikev2parent_inI1outR1(struct msg_digest *md)

}

/*
* If we did not get a KE payload, we cannot continue. There should be
* a Notify telling us why. We inform the user, but continue to try this
* connection via regular retransmit intervals.
*/
if(md->chain[ISAKMP_NEXT_v2N] && (md->chain[ISAKMP_NEXT_v2KE] == NULL))
{
const char *from_state_name = enum_name(&state_names, st->st_state);
const u_int16_t isan_type = md->chain[ISAKMP_NEXT_v2N]->payload.v2n.isan_type;
openswan_log("%s: received %s"
, from_state_name
, enum_name(&ikev2_notify_names, isan_type));
return STF_FAIL + isan_type;
} else if( md->chain[ISAKMP_NEXT_v2N]) {
/* XXX/SML: KE payload came with a notification-- is there a problem? */
DBG(DBG_CONTROL,DBG_log("received a notify.."));
}

/*
* We have to agree to the DH group before we actually know who
* we are talking to. If we support the group, we use it.
@@ -636,6 +654,8 @@ stf_status ikev2parent_inI1outR1(struct msg_digest *md)
*/
{
struct ikev2_ke *ke;
if (md->chain[ISAKMP_NEXT_v2KE] == NULL)
return STF_FAIL;
ke = &md->chain[ISAKMP_NEXT_v2KE]->payload.v2ke;

st->st_oakley.group=lookup_group(ke->isak_group);
@@ -735,6 +755,10 @@ ikev2_parent_inI1outR1_tail(struct pluto_crypto_req_cont *pcrc
numvidtosend++; /* we send Openswan VID */
#endif

if (sa_pd == NULL) {
return STF_FAIL;
}

/* note that we don't update the state here yet */

/* record first packet for later checking of signature */
@@ -784,6 +808,8 @@ ikev2_parent_inI1outR1_tail(struct pluto_crypto_req_cont *pcrc
{
v2_notification_t rn;
chunk_t dc;
if (md->chain[ISAKMP_NEXT_v2KE] == NULL)
return STF_FAIL;
keyex_pbs = &md->chain[ISAKMP_NEXT_v2KE]->pbs;
/* KE in */
rn=accept_KE(&st->st_gi, "Gi", st->st_oakley.group, keyex_pbs);
@@ -2210,6 +2236,9 @@ stf_status ikev2parent_inR2(struct msg_digest *md)
{
v2_notification_t rn;
struct payload_digest *const sa_pd = md->chain[ISAKMP_NEXT_v2SA];
if (sa_pd == NULL) {
return STF_FAIL;
}

rn = ikev2_parse_child_sa_body(&sa_pd->pbs, &sa_pd->payload.v2sa,
NULL, st, FALSE);

0 comments on commit d558afa

Please sign in to comment.