1 |
Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 |
2 |
Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682 |
3 |
Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986 |
4 |
|
5 |
Index: pkg-ipsec-tools/src/racoon/isakmp_frag.c |
6 |
=================================================================== |
7 |
--- pkg-ipsec-tools.orig/src/racoon/isakmp_frag.c |
8 |
+++ pkg-ipsec-tools/src/racoon/isakmp_frag.c |
9 |
@@ -1,4 +1,4 @@ |
10 |
-/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */ |
11 |
+/* $NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */ |
12 |
|
13 |
/* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */ |
14 |
|
15 |
@@ -173,6 +173,43 @@ vendorid_frag_cap(gen) |
16 |
return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]); |
17 |
} |
18 |
|
19 |
+static int |
20 |
+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item) |
21 |
+{ |
22 |
+ struct isakmp_frag_item *pitem = NULL; |
23 |
+ struct isakmp_frag_item *citem = iph1->frag_chain; |
24 |
+ |
25 |
+ /* no frag yet, just insert at beginning of list */ |
26 |
+ if (iph1->frag_chain == NULL) { |
27 |
+ iph1->frag_chain = item; |
28 |
+ return 0; |
29 |
+ } |
30 |
+ |
31 |
+ do { |
32 |
+ /* duplicate fragment number, abort (CVE-2016-10396) */ |
33 |
+ if (citem->frag_num == item->frag_num) |
34 |
+ return -1; |
35 |
+ |
36 |
+ /* need to insert before current item */ |
37 |
+ if (citem->frag_num > item->frag_num) { |
38 |
+ if (pitem != NULL) |
39 |
+ pitem->frag_next = item; |
40 |
+ else |
41 |
+ /* insert at the beginning of the list */ |
42 |
+ iph1->frag_chain = item; |
43 |
+ item->frag_next = citem; |
44 |
+ return 0; |
45 |
+ } |
46 |
+ |
47 |
+ pitem = citem; |
48 |
+ citem = citem->frag_next; |
49 |
+ } while (citem != NULL); |
50 |
+ |
51 |
+ /* we reached the end of the list, insert */ |
52 |
+ pitem->frag_next = item; |
53 |
+ return 0; |
54 |
+} |
55 |
+ |
56 |
int |
57 |
isakmp_frag_extract(iph1, msg) |
58 |
struct ph1handle *iph1; |
59 |
@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg) |
60 |
item->frag_next = NULL; |
61 |
item->frag_packet = buf; |
62 |
|
63 |
- /* Look for the last frag while inserting the new item in the chain */ |
64 |
- if (item->frag_last) |
65 |
- last_frag = item->frag_num; |
66 |
+ /* Check for the last frag before inserting the new item in the chain */ |
67 |
+ if (item->frag_last) { |
68 |
+ /* if we have the last fragment, indices must match */ |
69 |
+ if (iph1->frag_last_index != 0 && |
70 |
+ item->frag_last != iph1->frag_last_index) { |
71 |
+ plog(LLV_ERROR, LOCATION, NULL, |
72 |
+ "Repeated last fragment index mismatch\n"); |
73 |
+ racoon_free(item); |
74 |
+ vfree(buf); |
75 |
+ return -1; |
76 |
+ } |
77 |
|
78 |
- if (iph1->frag_chain == NULL) { |
79 |
- iph1->frag_chain = item; |
80 |
- } else { |
81 |
- struct isakmp_frag_item *current; |
82 |
+ last_frag = iph1->frag_last_index = item->frag_num; |
83 |
+ } |
84 |
|
85 |
- current = iph1->frag_chain; |
86 |
- while (current->frag_next) { |
87 |
- if (current->frag_last) |
88 |
- last_frag = item->frag_num; |
89 |
- current = current->frag_next; |
90 |
- } |
91 |
- current->frag_next = item; |
92 |
+ /* insert fragment into chain */ |
93 |
+ if (isakmp_frag_insert(iph1, item) == -1) { |
94 |
+ plog(LLV_ERROR, LOCATION, NULL, |
95 |
+ "Repeated fragment index mismatch\n"); |
96 |
+ racoon_free(item); |
97 |
+ vfree(buf); |
98 |
+ return -1; |
99 |
} |
100 |
|
101 |
- /* If we saw the last frag, check if the chain is complete */ |
102 |
+ /* If we saw the last frag, check if the chain is complete |
103 |
+ * we have a sorted list now, so just walk through */ |
104 |
if (last_frag != 0) { |
105 |
+ item = iph1->frag_chain; |
106 |
for (i = 1; i <= last_frag; i++) { |
107 |
- item = iph1->frag_chain; |
108 |
- do { |
109 |
- if (item->frag_num == i) |
110 |
- break; |
111 |
- item = item->frag_next; |
112 |
- } while (item != NULL); |
113 |
- |
114 |
+ if (item->frag_num != i) |
115 |
+ break; |
116 |
+ item = item->frag_next; |
117 |
if (item == NULL) /* Not found */ |
118 |
break; |
119 |
} |
120 |
|
121 |
- if (item != NULL) /* It is complete */ |
122 |
+ if (i > last_frag) /* It is complete */ |
123 |
return 1; |
124 |
} |
125 |
|
126 |
@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1) |
127 |
} |
128 |
data = buf->v; |
129 |
|
130 |
+ item = iph1->frag_chain; |
131 |
for (i = 1; i <= frag_count; i++) { |
132 |
- item = iph1->frag_chain; |
133 |
- do { |
134 |
- if (item->frag_num == i) |
135 |
- break; |
136 |
- item = item->frag_next; |
137 |
- } while (item != NULL); |
138 |
- |
139 |
- if (item == NULL) { |
140 |
+ if (item->frag_num != i) { |
141 |
plog(LLV_ERROR, LOCATION, NULL, |
142 |
"Missing fragment #%d\n", i); |
143 |
vfree(buf); |
144 |
@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1) |
145 |
} |
146 |
memcpy(data, item->frag_packet->v, item->frag_packet->l); |
147 |
data += item->frag_packet->l; |
148 |
+ item = item->frag_next; |
149 |
} |
150 |
|
151 |
out: |
152 |
Index: pkg-ipsec-tools/src/racoon/isakmp_inf.c |
153 |
=================================================================== |
154 |
--- pkg-ipsec-tools.orig/src/racoon/isakmp_inf.c |
155 |
+++ pkg-ipsec-tools/src/racoon/isakmp_inf.c |
156 |
@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca |
157 |
#endif |
158 |
#ifdef ENABLE_FRAG |
159 |
iph1->frag = 0; |
160 |
+ iph1->frag_last_index = 0; |
161 |
iph1->frag_chain = NULL; |
162 |
#endif |
163 |
|
164 |
Index: pkg-ipsec-tools/src/racoon/isakmp.c |
165 |
=================================================================== |
166 |
--- pkg-ipsec-tools.orig/src/racoon/isakmp.c |
167 |
+++ pkg-ipsec-tools/src/racoon/isakmp.c |
168 |
@@ -1072,6 +1072,7 @@ isakmp_ph1begin_i(rmconf, remote, local) |
169 |
iph1->frag = 1; |
170 |
else |
171 |
iph1->frag = 0; |
172 |
+ iph1->frag_last_index = 0; |
173 |
iph1->frag_chain = NULL; |
174 |
#endif |
175 |
iph1->approval = NULL; |
176 |
@@ -1176,6 +1177,7 @@ isakmp_ph1begin_r(msg, remote, local, et |
177 |
#endif |
178 |
#ifdef ENABLE_FRAG |
179 |
iph1->frag = 0; |
180 |
+ iph1->frag_last_index = 0; |
181 |
iph1->frag_chain = NULL; |
182 |
#endif |
183 |
iph1->approval = NULL; |
184 |
Index: pkg-ipsec-tools/src/racoon/handler.h |
185 |
=================================================================== |
186 |
--- pkg-ipsec-tools.orig/src/racoon/handler.h |
187 |
+++ pkg-ipsec-tools/src/racoon/handler.h |
188 |
@@ -1,4 +1,4 @@ |
189 |
-/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */ |
190 |
+/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */ |
191 |
|
192 |
/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */ |
193 |
|
194 |
@@ -141,6 +141,7 @@ struct ph1handle { |
195 |
#endif |
196 |
#ifdef ENABLE_FRAG |
197 |
int frag; /* IKE phase 1 fragmentation */ |
198 |
+ int frag_last_index; |
199 |
struct isakmp_frag_item *frag_chain; /* Received fragments */ |
200 |
#endif |
201 |
|