From: hshoexer Subject: Re: isakmpd: Validate DELETE payload SPI array size 1/2 To: tech@openbsd.org Date: Mon, 8 Jun 2026 17:08:55 +0200 Hi, anyone? On Wed, Apr 22, 2026 at 03:02:17PM +0200, hshoexer wrote: > Hi, > > The number of SPIs provided in a DELETE message is not properly > validated. This might cause a read beyond the message end. However, > the outside read is limited to 4 bytes for IPsec SAs and 16 bytes > for ISAKMP SAs. A crash is possible, but seems unlikely to me. > > ok? > > Take care, > HJ. > > diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c > index c49a14d67b7..41392ca7f41 100644 > --- a/sbin/isakmpd/message.c > +++ b/sbin/isakmpd/message.c > @@ -620,6 +620,7 @@ message_validate_delete(struct message *msg, struct payload *p) > struct doi *doi; > struct sa *sa, *isakmp_sa; > struct sockaddr *dst, *dst_isa; > + size_t spisz, len; > u_int32_t nspis = GET_ISAKMP_DELETE_NSPIS(p->p); > u_int8_t *spis = (u_int8_t *)p->p + ISAKMP_DELETE_SPI_OFF; > u_int32_t i; > @@ -666,6 +667,24 @@ message_validate_delete(struct message *msg, struct payload *p) > message_free(msg); > return -1; > } > + /* Enforce that SPI size matches the protocol. */ > + spisz = (proto == ISAKMP_PROTO_ISAKMP) ? > + ISAKMP_HDR_COOKIES_LEN : sizeof(u_int32_t); > + if (GET_ISAKMP_DELETE_SPI_SZ(p->p) != spisz) { > + log_print("message_validate_delete: invalid SPI size %u " > + "for protocol %u", GET_ISAKMP_DELETE_SPI_SZ(p->p), proto); > + message_free(msg); > + return -1; > + } > + /* All SPIs must fit into the DELETE payload. */ > + len = GET_ISAKMP_GEN_LENGTH(p->p); > + if (len < ISAKMP_DELETE_SPI_OFF || > + (len - ISAKMP_DELETE_SPI_OFF) / spisz < nspis) { > + log_print("message_validate_delete: SPI count %u exceeds " > + "payload length %zu", nspis, len); > + message_free(msg); > + return -1; > + } > /* Validate the SPIs. */ > for (i = 0; i < nspis; i++) { > /* Get ISAKMP SA protecting this message. */ >