current/SOURCES/ipsec-tools-0.8.2-CVE-2016-10396.patch

Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986

Index: pkg-ipsec-tools/src/racoon/isakmp_frag.c
===================================================================
--- pkg-ipsec-tools.orig/src/racoon/isakmp_frag.c
+++ pkg-ipsec-tools/src/racoon/isakmp_frag.c
@@ -1,4 +1,4 @@
-/*     $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $   */
+/*     $NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $      */
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
        return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
 }
 
+static int 
+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
+{
+       struct isakmp_frag_item *pitem = NULL;
+       struct isakmp_frag_item *citem = iph1->frag_chain;
+
+       /* no frag yet, just insert at beginning of list */
+       if (iph1->frag_chain == NULL) {
+               iph1->frag_chain = item;
+               return 0;
+       }
+
+       do {
+               /* duplicate fragment number, abort (CVE-2016-10396) */
+               if (citem->frag_num == item->frag_num)
+                       return -1;
+
+               /* need to insert before current item */
+               if (citem->frag_num > item->frag_num) {
+                       if (pitem != NULL)
+                               pitem->frag_next = item;
+                       else
+                               /* insert at the beginning of the list  */
+                               iph1->frag_chain = item;
+                       item->frag_next = citem;
+                       return 0;
+               }
+
+               pitem = citem;
+               citem = citem->frag_next;
+       } while (citem != NULL);
+
+       /* we reached the end of the list, insert */
+       pitem->frag_next = item;
+       return 0;
+}
+
 int 
 isakmp_frag_extract(iph1, msg)
        struct ph1handle *iph1;
@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
        item->frag_next = NULL;
        item->frag_packet = buf;
 
-       /* Look for the last frag while inserting the new item in the chain */
-       if (item->frag_last)
-               last_frag = item->frag_num;
+       /* Check for the last frag before inserting the new item in the chain */
+       if (item->frag_last) {
+               /* if we have the last fragment, indices must match */
+               if (iph1->frag_last_index != 0 &&
+                   item->frag_last != iph1->frag_last_index) {
+                       plog(LLV_ERROR, LOCATION, NULL,
+                            "Repeated last fragment index mismatch\n");
+                       racoon_free(item);
+                       vfree(buf);
+                       return -1;
+               }
 
-       if (iph1->frag_chain == NULL) {
-               iph1->frag_chain = item;
-       } else {
-               struct isakmp_frag_item *current;
+               last_frag = iph1->frag_last_index = item->frag_num;
+       }
 
-               current = iph1->frag_chain;
-               while (current->frag_next) {
-                       if (current->frag_last)
-                               last_frag = item->frag_num;
-                       current = current->frag_next;
-               }
-               current->frag_next = item;
+       /* insert fragment into chain */
+       if (isakmp_frag_insert(iph1, item) == -1) {
+               plog(LLV_ERROR, LOCATION, NULL,
+                   "Repeated fragment index mismatch\n");
+               racoon_free(item);
+               vfree(buf);
+               return -1;
        }
 
-       /* If we saw the last frag, check if the chain is complete */
+       /* If we saw the last frag, check if the chain is complete
+        * we have a sorted list now, so just walk through */
        if (last_frag != 0) {
+               item = iph1->frag_chain;
                for (i = 1; i <= last_frag; i++) {
-                       item = iph1->frag_chain;
-                       do {
-                               if (item->frag_num == i)
-                                       break;
-                               item = item->frag_next;
-                       } while (item != NULL);
-
+                       if (item->frag_num != i)
+                               break;
+                       item = item->frag_next;
                        if (item == NULL) /* Not found */
                                break;
                }
 
-               if (item != NULL) /* It is complete */
+               if (i > last_frag) /* It is complete */
                        return 1;
        }
                
@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
        }
        data = buf->v;
 
+       item = iph1->frag_chain;
        for (i = 1; i <= frag_count; i++) {
-               item = iph1->frag_chain;
-               do {
-                       if (item->frag_num == i)
-                               break;
-                       item = item->frag_next;
-               } while (item != NULL);
-
-               if (item == NULL) {
+               if (item->frag_num != i) {
                        plog(LLV_ERROR, LOCATION, NULL, 
                            "Missing fragment #%d\n", i);
                        vfree(buf);
@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
                }
                memcpy(data, item->frag_packet->v, item->frag_packet->l);
                data += item->frag_packet->l;
+               item = item->frag_next;
        }
 
 out:
Index: pkg-ipsec-tools/src/racoon/isakmp_inf.c
===================================================================
--- pkg-ipsec-tools.orig/src/racoon/isakmp_inf.c
+++ pkg-ipsec-tools/src/racoon/isakmp_inf.c
@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
 #endif
 #ifdef ENABLE_FRAG
        iph1->frag = 0;
+       iph1->frag_last_index = 0;
        iph1->frag_chain = NULL;
 #endif
 
Index: pkg-ipsec-tools/src/racoon/isakmp.c
===================================================================
--- pkg-ipsec-tools.orig/src/racoon/isakmp.c
+++ pkg-ipsec-tools/src/racoon/isakmp.c
@@ -1072,6 +1072,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
                iph1->frag = 1;
        else
                iph1->frag = 0;
+       iph1->frag_last_index = 0;
        iph1->frag_chain = NULL;
 #endif
        iph1->approval = NULL;
@@ -1176,6 +1177,7 @@ isakmp_ph1begin_r(msg, remote, local, et
 #endif
 #ifdef ENABLE_FRAG
        iph1->frag = 0;
+       iph1->frag_last_index = 0;
        iph1->frag_chain = NULL;
 #endif
        iph1->approval = NULL;
Index: pkg-ipsec-tools/src/racoon/handler.h
===================================================================
--- pkg-ipsec-tools.orig/src/racoon/handler.h
+++ pkg-ipsec-tools/src/racoon/handler.h
@@ -1,4 +1,4 @@
-/*     $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $      */
+/*     $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $    */
 
 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
 
@@ -141,6 +141,7 @@ struct ph1handle {
 #endif
 #ifdef ENABLE_FRAG
        int frag;                       /* IKE phase 1 fragmentation */
+       int frag_last_index;
        struct isakmp_frag_item *frag_chain;    /* Received fragments */
 #endif
 
1	Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
2	Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
3	Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
4
5	Index: pkg-ipsec-tools/src/racoon/isakmp_frag.c
6	===================================================================
7	--- pkg-ipsec-tools.orig/src/racoon/isakmp_frag.c
8	+++ pkg-ipsec-tools/src/racoon/isakmp_frag.c
9	@@ -1,4 +1,4 @@
10	-/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */
11	+/* $NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */
12
13	/* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
14
15	@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
16	return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
17	}
18
19	+static int
20	+isakmp_frag_insert(struct ph1handle iph1, struct isakmp_frag_item item)
21	+{
22	+ struct isakmp_frag_item *pitem = NULL;
23	+ struct isakmp_frag_item *citem = iph1->frag_chain;
24	+
25	+ /* no frag yet, just insert at beginning of list */
26	+ if (iph1->frag_chain == NULL) {
27	+ iph1->frag_chain = item;
28	+ return 0;
29	+ }
30	+
31	+ do {
32	+ /* duplicate fragment number, abort (CVE-2016-10396) */
33	+ if (citem->frag_num == item->frag_num)
34	+ return -1;
35	+
36	+ /* need to insert before current item */
37	+ if (citem->frag_num > item->frag_num) {
38	+ if (pitem != NULL)
39	+ pitem->frag_next = item;
40	+ else
41	+ /* insert at the beginning of the list */
42	+ iph1->frag_chain = item;
43	+ item->frag_next = citem;
44	+ return 0;
45	+ }
46	+
47	+ pitem = citem;
48	+ citem = citem->frag_next;
49	+ } while (citem != NULL);
50	+
51	+ /* we reached the end of the list, insert */
52	+ pitem->frag_next = item;
53	+ return 0;
54	+}
55	+
56	int
57	isakmp_frag_extract(iph1, msg)
58	struct ph1handle *iph1;
59	@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
60	item->frag_next = NULL;
61	item->frag_packet = buf;
62
63	- /* Look for the last frag while inserting the new item in the chain */
64	- if (item->frag_last)
65	- last_frag = item->frag_num;
66	+ /* Check for the last frag before inserting the new item in the chain */
67	+ if (item->frag_last) {
68	+ /* if we have the last fragment, indices must match */
69	+ if (iph1->frag_last_index != 0 &&
70	+ item->frag_last != iph1->frag_last_index) {
71	+ plog(LLV_ERROR, LOCATION, NULL,
72	+ "Repeated last fragment index mismatch\n");
73	+ racoon_free(item);
74	+ vfree(buf);
75	+ return -1;
76	+ }
77
78	- if (iph1->frag_chain == NULL) {
79	- iph1->frag_chain = item;
80	- } else {
81	- struct isakmp_frag_item *current;
82	+ last_frag = iph1->frag_last_index = item->frag_num;
83	+ }
84
85	- current = iph1->frag_chain;
86	- while (current->frag_next) {
87	- if (current->frag_last)
88	- last_frag = item->frag_num;
89	- current = current->frag_next;
90	- }
91	- current->frag_next = item;
92	+ /* insert fragment into chain */
93	+ if (isakmp_frag_insert(iph1, item) == -1) {
94	+ plog(LLV_ERROR, LOCATION, NULL,
95	+ "Repeated fragment index mismatch\n");
96	+ racoon_free(item);
97	+ vfree(buf);
98	+ return -1;
99	}
100
101	- /* If we saw the last frag, check if the chain is complete */
102	+ /* If we saw the last frag, check if the chain is complete
103	+ * we have a sorted list now, so just walk through */
104	if (last_frag != 0) {
105	+ item = iph1->frag_chain;
106	for (i = 1; i <= last_frag; i++) {
107	- item = iph1->frag_chain;
108	- do {
109	- if (item->frag_num == i)
110	- break;
111	- item = item->frag_next;
112	- } while (item != NULL);
113	-
114	+ if (item->frag_num != i)
115	+ break;
116	+ item = item->frag_next;
117	if (item == NULL) /* Not found */
118	break;
119	}
120
121	- if (item != NULL) /* It is complete */
122	+ if (i > last_frag) /* It is complete */
123	return 1;
124	}
125
126	@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
127	}
128	data = buf->v;
129
130	+ item = iph1->frag_chain;
131	for (i = 1; i <= frag_count; i++) {
132	- item = iph1->frag_chain;
133	- do {
134	- if (item->frag_num == i)
135	- break;
136	- item = item->frag_next;
137	- } while (item != NULL);
138	-
139	- if (item == NULL) {
140	+ if (item->frag_num != i) {
141	plog(LLV_ERROR, LOCATION, NULL,
142	"Missing fragment #%d\n", i);
143	vfree(buf);
144	@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
145	}
146	memcpy(data, item->frag_packet->v, item->frag_packet->l);
147	data += item->frag_packet->l;
148	+ item = item->frag_next;
149	}
150
151	out:
152	Index: pkg-ipsec-tools/src/racoon/isakmp_inf.c
153	===================================================================
154	--- pkg-ipsec-tools.orig/src/racoon/isakmp_inf.c
155	+++ pkg-ipsec-tools/src/racoon/isakmp_inf.c
156	@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
157	#endif
158	#ifdef ENABLE_FRAG
159	iph1->frag = 0;
160	+ iph1->frag_last_index = 0;
161	iph1->frag_chain = NULL;
162	#endif
163
164	Index: pkg-ipsec-tools/src/racoon/isakmp.c
165	===================================================================
166	--- pkg-ipsec-tools.orig/src/racoon/isakmp.c
167	+++ pkg-ipsec-tools/src/racoon/isakmp.c
168	@@ -1072,6 +1072,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
169	iph1->frag = 1;
170	else
171	iph1->frag = 0;
172	+ iph1->frag_last_index = 0;
173	iph1->frag_chain = NULL;
174	#endif
175	iph1->approval = NULL;
176	@@ -1176,6 +1177,7 @@ isakmp_ph1begin_r(msg, remote, local, et
177	#endif
178	#ifdef ENABLE_FRAG
179	iph1->frag = 0;
180	+ iph1->frag_last_index = 0;
181	iph1->frag_chain = NULL;
182	#endif
183	iph1->approval = NULL;
184	Index: pkg-ipsec-tools/src/racoon/handler.h
185	===================================================================
186	--- pkg-ipsec-tools.orig/src/racoon/handler.h
187	+++ pkg-ipsec-tools/src/racoon/handler.h
188	@@ -1,4 +1,4 @@
189	-/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */
190	+/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */
191
192	/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
193
194	@@ -141,6 +141,7 @@ struct ph1handle {
195	#endif
196	#ifdef ENABLE_FRAG
197	int frag; /* IKE phase 1 fragmentation */
198	+ int frag_last_index;
199	struct isakmp_frag_item frag_chain; / Received fragments */
200	#endif
201