From: hshoexer Subject: isakmpd: Validate DELETE payload SPI array size 2/2 To: tech@openbsd.org Date: Wed, 22 Apr 2026 15:03:45 +0200 Hi, similar to message_validate_delete() also validate in ipsec_handle_leftover_payload() that the provided number of SPIs actually fit in the payload. This is redundant as we already would bail out in message_validate_delete(). But check nonetheless. ok? Take care, HJ. diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c index 4b50f6a7886..bcc3a1e6212 100644 --- a/sbin/isakmpd/ipsec.c +++ b/sbin/isakmpd/ipsec.c @@ -1748,6 +1748,7 @@ ipsec_handle_leftover_payload(struct message *msg, u_int8_t type, struct payload *payload) { u_int32_t spisz, nspis; + size_t len; struct sockaddr *dst; int reenter = 0; u_int8_t *spis, proto; @@ -1773,6 +1774,13 @@ ipsec_handle_leftover_payload(struct message *msg, u_int8_t type, spisz, proto); return -1; } + len = GET_ISAKMP_GEN_LENGTH(payload->p); + if (len < ISAKMP_DELETE_SPI_OFF || + (len - ISAKMP_DELETE_SPI_OFF) / spisz < nspis) { + log_print("ipsec_handle_leftover_payload: " + "SPI count %u exceeds payload length %zu", nspis, len); + return -1; + } spis = calloc(nspis, spisz); if (!spis) { log_error("ipsec_handle_leftover_payload: malloc "