From: hshoexer <hshoexer@yerbouti.franken.de>
Subject: Re: isakmpd: Fix possible unaligned 32 bit read
To: tech@openbsd.org
Date: Mon, 8 Jun 2026 17:16:09 +0200

Hi,

anyone?

On Wed, Apr 22, 2026 at 03:04:47PM +0200, hshoexer wrote:
> Hi,
> 
> When validating IPsec SPIs in a DELETE message, access to the 32
> bit SPI value might be unaligned.  On platforms requiring strict
> alignment, this would cause termination of isakmpd by signal.
>     
> To avoid this, memcpy(3) the SPI value to a local variable.
> 
> Take care,
> HJ.
> 
> diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c
> index 41392ca7f41..598a25fc435 100644
> --- a/sbin/isakmpd/message.c
> +++ b/sbin/isakmpd/message.c
> @@ -623,7 +623,7 @@ message_validate_delete(struct message *msg, struct payload *p)
>  	size_t		spisz, len;
>  	u_int32_t       nspis = GET_ISAKMP_DELETE_NSPIS(p->p);
>  	u_int8_t       *spis = (u_int8_t *)p->p + ISAKMP_DELETE_SPI_OFF;
> -	u_int32_t       i;
> +	u_int32_t       i, spi;
>  	char           *addr;
>  
>  	/* Only accept authenticated DELETEs. */
> @@ -704,9 +704,11 @@ message_validate_delete(struct message *msg, struct payload *p)
>  		if (proto == ISAKMP_PROTO_ISAKMP)
>  			sa = sa_lookup_isakmp_sa(dst, spis + i
>  			    * ISAKMP_HDR_COOKIES_LEN);
> -		else
> -			sa = ipsec_sa_lookup(dst, ((u_int32_t *) spis)[i],
> -			    proto);
> +		else {
> +			/* Ensure correct alignment of SPI. */
> +			memcpy(&spi, spis + i * sizeof(spi), sizeof(spi));
> +			sa = ipsec_sa_lookup(dst, spi, proto);
> +		}
>  		if (!sa) {
>  			LOG_DBG((LOG_MESSAGE, 50, "message_validate_delete: "
>  			    "invalid spi (no valid SA found)"));
>