diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-06-23 10:51:58 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-06-23 10:51:58 +0000 |
commit | 4ef45ba0404dac3773e83af995a5ec584b23d633 (patch) | |
tree | cdd1801c21adf6f2e210ed31c39790ebe95892b7 /src | |
parent | a33d6529e9bbf1e1afd7b2e8e44e0710987ff645 (diff) | |
download | vyos-strongswan-4ef45ba0404dac3773e83af995a5ec584b23d633.tar.gz vyos-strongswan-4ef45ba0404dac3773e83af995a5ec584b23d633.zip |
- Updated translations.
- Import NMU patches.
Diffstat (limited to 'src')
-rw-r--r-- | src/charon/sa/ike_sa.c | 5 | ||||
-rw-r--r-- | src/charon/sa/tasks/child_create.c | 4 | ||||
-rw-r--r-- | src/libstrongswan/asn1/asn1.c | 27 | ||||
-rw-r--r-- | src/libstrongswan/asn1/asn1_parser.c | 2 | ||||
-rw-r--r-- | src/pluto/asn1.c | 33 |
5 files changed, 56 insertions, 15 deletions
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c index 6acbc6eef..bebd74160 100644 --- a/src/charon/sa/ike_sa.c +++ b/src/charon/sa/ike_sa.c @@ -1438,6 +1438,11 @@ static status_t process_message(private_ike_sa_t *this, message_t *message) exchange_type_names, message->get_exchange_type(message), message->get_request(message) ? "request" : "response", message->get_message_id(message)); + + if (this->state == IKE_CREATED) + { /* invalid initiation attempt, close SA */ + return DESTROY_ME; + } return status; } else diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c index f6043979f..c07cd37b8 100644 --- a/src/charon/sa/tasks/child_create.c +++ b/src/charon/sa/tasks/child_create.c @@ -1137,11 +1137,11 @@ static void destroy(private_child_create_t *this) { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); - if (this->tsi) + if (this->tsr) { this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy)); } - if (this->tsr) + if (this->tsi) { this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy)); } diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index 8b9762777..56dedb036 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -261,6 +261,11 @@ u_int asn1_length(chunk_t *blob) len = 256*len + *blob->ptr++; blob->len--; } + if (len > blob->len) + { + DBG2("length is larger than remaining blob size"); + return ASN1_INVALID_LENGTH; + } return len; } @@ -283,14 +288,20 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type) { int tz_hour, tz_min; - sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min); + if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2) + { + return 0; /* error in positive timezone offset format */ + } tz_offset = 3600*tz_hour + 60*tz_min; /* positive time zone offset */ } else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL) { int tz_hour, tz_min; - sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min); + if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2) + { + return 0; /* error in negative timezone offset format */ + } tz_offset = -3600*tz_hour - 60*tz_min; /* negative time zone offset */ } else @@ -303,14 +314,20 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type) const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d": "%4d%2d%2d%2d%2d"; - sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday, - &t.tm_hour, &t.tm_min); + if (sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday, + &t.tm_hour, &t.tm_min) != 5) + { + return 0; /* error in time st [yy]yymmddhhmm time format */ + } } /* is there a seconds field? */ if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14)) { - sscanf(eot-2, "%2d", &t.tm_sec); + if (sscanf(eot-2, "%2d", &t.tm_sec) != 1) + { + return 0; /* error in ss seconds field format */ + } } else { diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c index 7a2028fc3..7ea9ace4f 100644 --- a/src/libstrongswan/asn1/asn1_parser.c +++ b/src/libstrongswan/asn1/asn1_parser.c @@ -160,7 +160,7 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object) blob1->len = asn1_length(blob); - if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len) + if (blob1->len == ASN1_INVALID_LENGTH) { DBG1("L%d - %s: length of ASN.1 object invalid or too large", level, obj.name); diff --git a/src/pluto/asn1.c b/src/pluto/asn1.c index 529f597fb..6f3695874 100644 --- a/src/pluto/asn1.c +++ b/src/pluto/asn1.c @@ -191,6 +191,13 @@ asn1_length(chunk_t *blob) len = 256*len + *blob->ptr++; blob->len--; } + if (len > blob->len) + { + DBG(DBG_PARSING, + DBG_log("length is larger than remaining blob size") + ) + return ASN1_INVALID_LENGTH; + } return len; } @@ -368,14 +375,20 @@ asn1totime(const chunk_t *utctime, asn1_t type) { int tz_hour, tz_min; - sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min); + if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2) + { + return 0; /* error in positive timezone offset format */ + } tz_offset = 3600*tz_hour + 60*tz_min; /* positive time zone offset */ } else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL) { int tz_hour, tz_min; - sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min); + if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2) + { + return 0; /* error in negative timezone offset format */ + } tz_offset = -3600*tz_hour - 60*tz_min; /* negative time zone offset */ } else @@ -388,14 +401,20 @@ asn1totime(const chunk_t *utctime, asn1_t type) const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d": "%4d%2d%2d%2d%2d"; - sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday, - &t.tm_hour, &t.tm_min); - } + if (sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday, + &t.tm_hour, &t.tm_min) != 5) + { + return 0; /* error in time st [yy]yymmddhhmm time format */ + } + } /* is there a seconds field? */ if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14)) { - sscanf(eot-2, "%2d", &t.tm_sec); + if (sscanf(eot-2, "%2d", &t.tm_sec) != 1) + { + return 0; /* error in ss seconds field format */ + } } else { @@ -592,7 +611,7 @@ extract_object(asn1Object_t const *objects, blob1->len = asn1_length(blob); - if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len) + if (blob1->len == ASN1_INVALID_LENGTH) { DBG(DBG_PARSING, DBG_log("L%d - %s: length of ASN.1 object invalid or too large", |