Download raw body.
isakmpd: Fix possible unaligned 32 bit read
Hi,
When validating IPsec SPIs in a DELETE message, access to the 32
bit SPI value might be unaligned. On platforms requiring strict
alignment, this would cause termination of isakmpd by signal.
To avoid this, memcpy(3) the SPI value to a local variable.
Take care,
HJ.
diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c
index 41392ca7f41..598a25fc435 100644
--- a/sbin/isakmpd/message.c
+++ b/sbin/isakmpd/message.c
@@ -623,7 +623,7 @@ message_validate_delete(struct message *msg, struct payload *p)
size_t spisz, len;
u_int32_t nspis = GET_ISAKMP_DELETE_NSPIS(p->p);
u_int8_t *spis = (u_int8_t *)p->p + ISAKMP_DELETE_SPI_OFF;
- u_int32_t i;
+ u_int32_t i, spi;
char *addr;
/* Only accept authenticated DELETEs. */
@@ -704,9 +704,11 @@ message_validate_delete(struct message *msg, struct payload *p)
if (proto == ISAKMP_PROTO_ISAKMP)
sa = sa_lookup_isakmp_sa(dst, spis + i
* ISAKMP_HDR_COOKIES_LEN);
- else
- sa = ipsec_sa_lookup(dst, ((u_int32_t *) spis)[i],
- proto);
+ else {
+ /* Ensure correct alignment of SPI. */
+ memcpy(&spi, spis + i * sizeof(spi), sizeof(spi));
+ sa = ipsec_sa_lookup(dst, spi, proto);
+ }
if (!sa) {
LOG_DBG((LOG_MESSAGE, 50, "message_validate_delete: "
"invalid spi (no valid SA found)"));
isakmpd: Fix possible unaligned 32 bit read