summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2009-06-23 10:51:58 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2009-06-23 10:51:58 +0000
commit4ef45ba0404dac3773e83af995a5ec584b23d633 (patch)
treecdd1801c21adf6f2e210ed31c39790ebe95892b7 /src
parenta33d6529e9bbf1e1afd7b2e8e44e0710987ff645 (diff)
downloadvyos-strongswan-4ef45ba0404dac3773e83af995a5ec584b23d633.tar.gz
vyos-strongswan-4ef45ba0404dac3773e83af995a5ec584b23d633.zip
- Updated translations.
- Import NMU patches.
Diffstat (limited to 'src')
-rw-r--r--src/charon/sa/ike_sa.c5
-rw-r--r--src/charon/sa/tasks/child_create.c4
-rw-r--r--src/libstrongswan/asn1/asn1.c27
-rw-r--r--src/libstrongswan/asn1/asn1_parser.c2
-rw-r--r--src/pluto/asn1.c33
5 files changed, 56 insertions, 15 deletions
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index 6acbc6eef..bebd74160 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -1438,6 +1438,11 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
exchange_type_names, message->get_exchange_type(message),
message->get_request(message) ? "request" : "response",
message->get_message_id(message));
+
+ if (this->state == IKE_CREATED)
+ { /* invalid initiation attempt, close SA */
+ return DESTROY_ME;
+ }
return status;
}
else
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
index f6043979f..c07cd37b8 100644
--- a/src/charon/sa/tasks/child_create.c
+++ b/src/charon/sa/tasks/child_create.c
@@ -1137,11 +1137,11 @@ static void destroy(private_child_create_t *this)
{
chunk_free(&this->my_nonce);
chunk_free(&this->other_nonce);
- if (this->tsi)
+ if (this->tsr)
{
this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
}
- if (this->tsr)
+ if (this->tsi)
{
this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
}
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index 8b9762777..56dedb036 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -261,6 +261,11 @@ u_int asn1_length(chunk_t *blob)
len = 256*len + *blob->ptr++;
blob->len--;
}
+ if (len > blob->len)
+ {
+ DBG2("length is larger than remaining blob size");
+ return ASN1_INVALID_LENGTH;
+ }
return len;
}
@@ -283,14 +288,20 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
{
int tz_hour, tz_min;
- sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+ if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+ {
+ return 0; /* error in positive timezone offset format */
+ }
tz_offset = 3600*tz_hour + 60*tz_min; /* positive time zone offset */
}
else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
{
int tz_hour, tz_min;
- sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+ if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+ {
+ return 0; /* error in negative timezone offset format */
+ }
tz_offset = -3600*tz_hour - 60*tz_min; /* negative time zone offset */
}
else
@@ -303,14 +314,20 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
"%4d%2d%2d%2d%2d";
- sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
- &t.tm_hour, &t.tm_min);
+ if (sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
+ &t.tm_hour, &t.tm_min) != 5)
+ {
+ return 0; /* error in time st [yy]yymmddhhmm time format */
+ }
}
/* is there a seconds field? */
if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
{
- sscanf(eot-2, "%2d", &t.tm_sec);
+ if (sscanf(eot-2, "%2d", &t.tm_sec) != 1)
+ {
+ return 0; /* error in ss seconds field format */
+ }
}
else
{
diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c
index 7a2028fc3..7ea9ace4f 100644
--- a/src/libstrongswan/asn1/asn1_parser.c
+++ b/src/libstrongswan/asn1/asn1_parser.c
@@ -160,7 +160,7 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
blob1->len = asn1_length(blob);
- if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+ if (blob1->len == ASN1_INVALID_LENGTH)
{
DBG1("L%d - %s: length of ASN.1 object invalid or too large",
level, obj.name);
diff --git a/src/pluto/asn1.c b/src/pluto/asn1.c
index 529f597fb..6f3695874 100644
--- a/src/pluto/asn1.c
+++ b/src/pluto/asn1.c
@@ -191,6 +191,13 @@ asn1_length(chunk_t *blob)
len = 256*len + *blob->ptr++;
blob->len--;
}
+ if (len > blob->len)
+ {
+ DBG(DBG_PARSING,
+ DBG_log("length is larger than remaining blob size")
+ )
+ return ASN1_INVALID_LENGTH;
+ }
return len;
}
@@ -368,14 +375,20 @@ asn1totime(const chunk_t *utctime, asn1_t type)
{
int tz_hour, tz_min;
- sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+ if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+ {
+ return 0; /* error in positive timezone offset format */
+ }
tz_offset = 3600*tz_hour + 60*tz_min; /* positive time zone offset */
}
else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
{
int tz_hour, tz_min;
- sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+ if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+ {
+ return 0; /* error in negative timezone offset format */
+ }
tz_offset = -3600*tz_hour - 60*tz_min; /* negative time zone offset */
}
else
@@ -388,14 +401,20 @@ asn1totime(const chunk_t *utctime, asn1_t type)
const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
"%4d%2d%2d%2d%2d";
- sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
- &t.tm_hour, &t.tm_min);
- }
+ if (sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
+ &t.tm_hour, &t.tm_min) != 5)
+ {
+ return 0; /* error in time st [yy]yymmddhhmm time format */
+ }
+ }
/* is there a seconds field? */
if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
{
- sscanf(eot-2, "%2d", &t.tm_sec);
+ if (sscanf(eot-2, "%2d", &t.tm_sec) != 1)
+ {
+ return 0; /* error in ss seconds field format */
+ }
}
else
{
@@ -592,7 +611,7 @@ extract_object(asn1Object_t const *objects,
blob1->len = asn1_length(blob);
- if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+ if (blob1->len == ASN1_INVALID_LENGTH)
{
DBG(DBG_PARSING,
DBG_log("L%d - %s: length of ASN.1 object invalid or too large",