Download raw body.
isakmpd: Validate DELETE payload SPI array size 2/2
Hi,
similar to message_validate_delete() also validate in
ipsec_handle_leftover_payload() that the provided number of SPIs
actually fit in the payload. This is redundant as we already would
bail out in message_validate_delete(). But check nonetheless.
ok?
Take care,
HJ.
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index 4b50f6a7886..bcc3a1e6212 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1748,6 +1748,7 @@ ipsec_handle_leftover_payload(struct message *msg, u_int8_t type,
struct payload *payload)
{
u_int32_t spisz, nspis;
+ size_t len;
struct sockaddr *dst;
int reenter = 0;
u_int8_t *spis, proto;
@@ -1773,6 +1774,13 @@ ipsec_handle_leftover_payload(struct message *msg, u_int8_t type,
spisz, proto);
return -1;
}
+ len = GET_ISAKMP_GEN_LENGTH(payload->p);
+ if (len < ISAKMP_DELETE_SPI_OFF ||
+ (len - ISAKMP_DELETE_SPI_OFF) / spisz < nspis) {
+ log_print("ipsec_handle_leftover_payload: "
+ "SPI count %u exceeds payload length %zu", nspis, len);
+ return -1;
+ }
spis = calloc(nspis, spisz);
if (!spis) {
log_error("ipsec_handle_leftover_payload: malloc "
isakmpd: Validate DELETE payload SPI array size 2/2