LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10259 Commits
1 Branch
46 MiB
Tree: 509f208ee7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '509f208ee7'
${ noResults }
openwrt-packages-dist/net/ipsec-tools/patches/010-CVE-2016-10396.patch

201 lines
5.7 KiB
Raw Normal View History

ipsec-tools: Fix CVE-2016-10396 Use patch pulled from Debian's packaging at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986 Signed-off-by: Noah Meyerhans <frodo@morgul.net>
7 years ago
 
  1. Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
  2. Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
  3. Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
  4. 

  5. Index: ipsec-tools-0.8.2/src/racoon/isakmp_frag.c

  6. ===================================================================

  7. --- ipsec-tools-0.8.2.orig/src/racoon/isakmp_frag.c

  8. +++ ipsec-tools-0.8.2/src/racoon/isakmp_frag.c

  9. @@ -1,4 +1,4 @@

  10. -/*	$NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $	*/

  11. +/*	$NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $	*/

  12.  
  13.  /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
  14.  
  15. @@ -173,6 +173,43 @@ vendorid_frag_cap(gen)

  16.  	return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
  17.  }
  18.  
  19. +static int 

  20. +isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)

  21. +{

  22. +	struct isakmp_frag_item *pitem = NULL;

  23. +	struct isakmp_frag_item *citem = iph1->frag_chain;

  24. +

  25. +	/* no frag yet, just insert at beginning of list */

  26. +	if (iph1->frag_chain == NULL) {

  27. +		iph1->frag_chain = item;

  28. +		return 0;

  29. +	}

  30. +

  31. +	do {

  32. +		/* duplicate fragment number, abort (CVE-2016-10396) */

  33. +		if (citem->frag_num == item->frag_num)

  34. +			return -1;

  35. +

  36. +		/* need to insert before current item */

  37. +		if (citem->frag_num > item->frag_num) {

  38. +			if (pitem != NULL)

  39. +				pitem->frag_next = item;

  40. +			else

  41. +				/* insert at the beginning of the list  */

  42. +				iph1->frag_chain = item;

  43. +			item->frag_next = citem;

  44. +			return 0;

  45. +		}

  46. +

  47. +		pitem = citem;

  48. +		citem = citem->frag_next;

  49. +	} while (citem != NULL);

  50. +

  51. +	/* we reached the end of the list, insert */

  52. +	pitem->frag_next = item;

  53. +	return 0;

  54. +}

  55. +

  56.  int 
  57.  isakmp_frag_extract(iph1, msg)
  58.  	struct ph1handle *iph1;
  59. @@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)

  60.  	item->frag_next = NULL;
  61.  	item->frag_packet = buf;
  62.  
  63. -	/* Look for the last frag while inserting the new item in the chain */

  64. -	if (item->frag_last)

  65. -		last_frag = item->frag_num;

  66. +	/* Check for the last frag before inserting the new item in the chain */

  67. +	if (item->frag_last) {

  68. +		/* if we have the last fragment, indices must match */

  69. +		if (iph1->frag_last_index != 0 &&

  70. +		    item->frag_last != iph1->frag_last_index) {

  71. +			plog(LLV_ERROR, LOCATION, NULL,

  72. +			     "Repeated last fragment index mismatch\n");

  73. +			racoon_free(item);

  74. +			vfree(buf);

  75. +			return -1;

  76. +		}

  77.  
  78. -	if (iph1->frag_chain == NULL) {

  79. -		iph1->frag_chain = item;

  80. -	} else {

  81. -		struct isakmp_frag_item *current;

  82. +		last_frag = iph1->frag_last_index = item->frag_num;

  83. +	}

  84.  
  85. -		current = iph1->frag_chain;

  86. -		while (current->frag_next) {

  87. -			if (current->frag_last)

  88. -				last_frag = item->frag_num;

  89. -			current = current->frag_next;

  90. -		}

  91. -		current->frag_next = item;

  92. +	/* insert fragment into chain */

  93. +	if (isakmp_frag_insert(iph1, item) == -1) {

  94. +		plog(LLV_ERROR, LOCATION, NULL,

  95. +		    "Repeated fragment index mismatch\n");

  96. +		racoon_free(item);

  97. +		vfree(buf);

  98. +		return -1;

  99.  	}
  100.  
  101. -	/* If we saw the last frag, check if the chain is complete */

  102. +	/* If we saw the last frag, check if the chain is complete

  103. +	 * we have a sorted list now, so just walk through */

  104.  	if (last_frag != 0) {
  105. +		item = iph1->frag_chain;

  106.  		for (i = 1; i <= last_frag; i++) {
  107. -			item = iph1->frag_chain;

  108. -			do {

  109. -				if (item->frag_num == i)

  110. -					break;

  111. -				item = item->frag_next;

  112. -			} while (item != NULL);

  113. -

  114. +			if (item->frag_num != i)

  115. +				break;

  116. +			item = item->frag_next;

  117.  			if (item == NULL) /* Not found */
  118.  				break;
  119.  		}
  120.  
  121. -		if (item != NULL) /* It is complete */

  122. +		if (i > last_frag) /* It is complete */

  123.  			return 1;
  124.  	}
  125.  		
  126. @@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)

  127.  	}
  128.  	data = buf->v;
  129.  
  130. +	item = iph1->frag_chain;

  131.  	for (i = 1; i <= frag_count; i++) {
  132. -		item = iph1->frag_chain;

  133. -		do {

  134. -			if (item->frag_num == i)

  135. -				break;

  136. -			item = item->frag_next;

  137. -		} while (item != NULL);

  138. -

  139. -		if (item == NULL) {

  140. +		if (item->frag_num != i) {

  141.  			plog(LLV_ERROR, LOCATION, NULL, 
  142.  			    "Missing fragment #%d\n", i);
  143.  			vfree(buf);
  144. @@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)

  145.  		}
  146.  		memcpy(data, item->frag_packet->v, item->frag_packet->l);
  147.  		data += item->frag_packet->l;
  148. +		item = item->frag_next;

  149.  	}
  150.  
  151.  out:
  152. Index: ipsec-tools-0.8.2/src/racoon/isakmp_inf.c

  153. ===================================================================

  154. --- ipsec-tools-0.8.2.orig/src/racoon/isakmp_inf.c

  155. +++ ipsec-tools-0.8.2/src/racoon/isakmp_inf.c

  156. @@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca

  157.  #endif
  158.  #ifdef ENABLE_FRAG
  159.  	iph1->frag = 0;
  160. +	iph1->frag_last_index = 0;

  161.  	iph1->frag_chain = NULL;
  162.  #endif
  163.  
  164. Index: ipsec-tools-0.8.2/src/racoon/isakmp.c

  165. ===================================================================

  166. --- ipsec-tools-0.8.2.orig/src/racoon/isakmp.c

  167. +++ ipsec-tools-0.8.2/src/racoon/isakmp.c

  168. @@ -1071,6 +1071,7 @@ isakmp_ph1begin_i(rmconf, remote, local)

  169.  		iph1->frag = 1;
  170.  	else
  171.  		iph1->frag = 0;
  172. +	iph1->frag_last_index = 0;

  173.  	iph1->frag_chain = NULL;
  174.  #endif
  175.  	iph1->approval = NULL;
  176. @@ -1175,6 +1176,7 @@ isakmp_ph1begin_r(msg, remote, local, et

  177.  #endif
  178.  #ifdef ENABLE_FRAG
  179.  	iph1->frag = 0;
  180. +	iph1->frag_last_index = 0;

  181.  	iph1->frag_chain = NULL;
  182.  #endif
  183.  	iph1->approval = NULL;
  184. Index: ipsec-tools-0.8.2/src/racoon/handler.h

  185. ===================================================================

  186. --- ipsec-tools-0.8.2.orig/src/racoon/handler.h

  187. +++ ipsec-tools-0.8.2/src/racoon/handler.h

  188. @@ -1,4 +1,4 @@

  189. -/*	$NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $	*/

  190. +/*	$NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $	*/

  191.  
  192.  /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
  193.  
  194. @@ -141,6 +141,7 @@ struct ph1handle {

  195.  #endif
  196.  #ifdef ENABLE_FRAG
  197.  	int frag;			/* IKE phase 1 fragmentation */
  198. +	int frag_last_index;

  199.  	struct isakmp_frag_item *frag_chain;	/* Received fragments */
  200.  #endif
  201.