From: hshoexer <hshoexer@yerbouti.franken.de>
Subject: isakmpd: Fix possible unaligned 32 bit read
To: tech@openbsd.org
Date: Wed, 22 Apr 2026 15:04:47 +0200

Hi,

When validating IPsec SPIs in a DELETE message, access to the 32
bit SPI value might be unaligned.  On platforms requiring strict
alignment, this would cause termination of isakmpd by signal.
    
To avoid this, memcpy(3) the SPI value to a local variable.

Take care,
HJ.

diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c
index 41392ca7f41..598a25fc435 100644
--- a/sbin/isakmpd/message.c
+++ b/sbin/isakmpd/message.c
@@ -623,7 +623,7 @@ message_validate_delete(struct message *msg, struct payload *p)
 	size_t		spisz, len;
 	u_int32_t       nspis = GET_ISAKMP_DELETE_NSPIS(p->p);
 	u_int8_t       *spis = (u_int8_t *)p->p + ISAKMP_DELETE_SPI_OFF;
-	u_int32_t       i;
+	u_int32_t       i, spi;
 	char           *addr;
 
 	/* Only accept authenticated DELETEs. */
@@ -704,9 +704,11 @@ message_validate_delete(struct message *msg, struct payload *p)
 		if (proto == ISAKMP_PROTO_ISAKMP)
 			sa = sa_lookup_isakmp_sa(dst, spis + i
 			    * ISAKMP_HDR_COOKIES_LEN);
-		else
-			sa = ipsec_sa_lookup(dst, ((u_int32_t *) spis)[i],
-			    proto);
+		else {
+			/* Ensure correct alignment of SPI. */
+			memcpy(&spi, spis + i * sizeof(spi), sizeof(spi));
+			sa = ipsec_sa_lookup(dst, spi, proto);
+		}
 		if (!sa) {
 			LOG_DBG((LOG_MESSAGE, 50, "message_validate_delete: "
 			    "invalid spi (no valid SA found)"));