diff options
author | remi <remi@openbsd.org> | 2019-12-19 16:47:14 +0000 |
---|---|---|
committer | remi <remi@openbsd.org> | 2019-12-19 16:47:14 +0000 |
commit | 228f75627bc6fb3e67f9e86aeded54493c9e870e (patch) | |
tree | 05675d014a53e6d834cdf7714556a3f5e8cf15b4 /usr.sbin/ripd | |
parent | Fix output loop to not stop when the first unused output format is (diff) | |
download | wireguard-openbsd-228f75627bc6fb3e67f9e86aeded54493c9e870e.tar.xz wireguard-openbsd-228f75627bc6fb3e67f9e86aeded54493c9e870e.zip |
Validate auth_offset before using it. If it's too big ripd will crash.
RFC 2082, chapter 3.1 sys about the offset:
A 16 bit offset from the RIP-2 header to the MD5 digest (if no
other trailer fields are ever defined, this value equals the
RIP-2 Data Length).
Problem reported by Hiltjo Posthuma.
OK claudio@ deraadt@ benno@
Diffstat (limited to 'usr.sbin/ripd')
-rw-r--r-- | usr.sbin/ripd/auth.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/usr.sbin/ripd/auth.c b/usr.sbin/ripd/auth.c index d0917d06e1e..492c512db34 100644 --- a/usr.sbin/ripd/auth.c +++ b/usr.sbin/ripd/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.11 2010/05/26 13:56:08 nicm Exp $ */ +/* $OpenBSD: auth.c,v 1.12 2019/12/19 16:47:14 remi Exp $ */ /* * Copyright (c) 2006 Michele Marchetto <mydecay@openbeer.it> @@ -144,6 +144,14 @@ auth_validate(u_int8_t **buf, u_int16_t *len, struct iface *iface, return (-1); } + if (ntohs(a->auth_offset) != *len + RIP_HDR_LEN - + AUTH_TRLR_HDR_LEN - MD5_DIGEST_LENGTH) { + log_debug("auth_validate: invalid authentication data " + "offset %hu, interface %s", ntohs(a->auth_offset), + iface->name); + return (-1); + } + auth_data = *buf; auth_data += ntohs(a->auth_offset); |