diff options
| author |   markus <markus@openbsd.org> | 2014-05-05 15:21:20 +0000 |
|---|---|---|
| committer | markus <markus@openbsd.org> | 2014-05-05 15:21:20 +0000 |
| commit | a60400e3e36dd54d33a08656aa7fc7813b789410 (patch) | |
| tree | fce12d25ce928ddd585c57828d8dc9636a7f5b8e | |
| parent | convert select to poll. from peter malone (diff) | |
| download | wireguard-openbsd-a60400e3e36dd54d33a08656aa7fc7813b789410.tar.xz wireguard-openbsd-a60400e3e36dd54d33a08656aa7fc7813b789410.zip | |
validate the attribute length, too; from hshoexer; ok mikeb
| -rw-r--r-- | sbin/iked/ikev2_pld.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/sbin/iked/ikev2_pld.c b/sbin/iked/ikev2_pld.c index 451f57caf00..d72580498e4 100644 --- a/sbin/iked/ikev2_pld.c +++ b/sbin/iked/ikev2_pld.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2_pld.c,v 1.40 2014/04/28 11:21:02 reyk Exp $ */ +/* $OpenBSD: ikev2_pld.c,v 1.41 2014/05/05 15:21:20 markus Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -616,6 +616,12 @@ ikev2_pld_attr(struct iked *env, struct ikev2_transform *xfrm, } else { /* Type-Length-Value attribute */ attr_length = betoh16(attr.attr_length); + if (attr_length < sizeof(attr)) { + log_debug("%s: payload malformed: shorter than " + "minimal header (%zu < %zu)", __func__, + attr_length, sizeof(attr)); + return (-1); + } if (total < attr_length) { log_debug("%s: payload malformed: attribute larger " "than actual payload (%zu < %zu)", __func__, |