Index | Thread | Search

From:
hshoexer <hshoexer@yerbouti.franken.de>
Subject:
Re: isakmpd: Validate DELETE payload SPI array size 2/2
To:
tech@openbsd.org
Date:
Mon, 8 Jun 2026 17:15:49 +0200

Download raw body.

Thread 
Hi,

anyone?

On Wed, Apr 22, 2026 at 03:03:45PM +0200, hshoexer wrote:
> Hi,
> 
> similar to message_validate_delete() also validate in
> ipsec_handle_leftover_payload() that the provided number of SPIs
> actually fit in the payload. This is redundant as we already would
> bail out in message_validate_delete(). But check nonetheless.
> 
> ok?
> 
> Take care,
> HJ.
> 
> diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
> index 4b50f6a7886..bcc3a1e6212 100644
> --- a/sbin/isakmpd/ipsec.c
> +++ b/sbin/isakmpd/ipsec.c
> @@ -1748,6 +1748,7 @@ ipsec_handle_leftover_payload(struct message *msg, u_int8_t type,
>      struct payload *payload)
>  {
>  	u_int32_t       spisz, nspis;
> +	size_t		len;
>  	struct sockaddr *dst;
>  	int             reenter = 0;
>  	u_int8_t       *spis, proto;
> @@ -1773,6 +1774,13 @@ ipsec_handle_leftover_payload(struct message *msg, u_int8_t type,
>  			    spisz, proto);
>  			return -1;
>  		}
> +		len = GET_ISAKMP_GEN_LENGTH(payload->p);
> +		if (len < ISAKMP_DELETE_SPI_OFF ||
> +		    (len - ISAKMP_DELETE_SPI_OFF) / spisz < nspis) {
> +			log_print("ipsec_handle_leftover_payload: "
> +			    "SPI count %u exceeds payload length %zu", nspis, len);
> +			return -1;
> +		}
>  		spis = calloc(nspis, spisz);
>  		if (!spis) {
>  			log_error("ipsec_handle_leftover_payload: malloc "
>