Index | Thread | Search

From:
hshoexer <hshoexer@yerbouti.franken.de>
Subject:
isakmpd: Validate DELETE payload SPI array size 2/2
To:
tech@openbsd.org
Date:
Wed, 22 Apr 2026 15:03:45 +0200

Download raw body.

Thread
  • hshoexer:

    isakmpd: Validate DELETE payload SPI array size 2/2

Hi,

similar to message_validate_delete() also validate in
ipsec_handle_leftover_payload() that the provided number of SPIs
actually fit in the payload. This is redundant as we already would
bail out in message_validate_delete(). But check nonetheless.

ok?

Take care,
HJ.

diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index 4b50f6a7886..bcc3a1e6212 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1748,6 +1748,7 @@ ipsec_handle_leftover_payload(struct message *msg, u_int8_t type,
     struct payload *payload)
 {
 	u_int32_t       spisz, nspis;
+	size_t		len;
 	struct sockaddr *dst;
 	int             reenter = 0;
 	u_int8_t       *spis, proto;
@@ -1773,6 +1774,13 @@ ipsec_handle_leftover_payload(struct message *msg, u_int8_t type,
 			    spisz, proto);
 			return -1;
 		}
+		len = GET_ISAKMP_GEN_LENGTH(payload->p);
+		if (len < ISAKMP_DELETE_SPI_OFF ||
+		    (len - ISAKMP_DELETE_SPI_OFF) / spisz < nspis) {
+			log_print("ipsec_handle_leftover_payload: "
+			    "SPI count %u exceeds payload length %zu", nspis, len);
+			return -1;
+		}
 		spis = calloc(nspis, spisz);
 		if (!spis) {
 			log_error("ipsec_handle_leftover_payload: malloc "