/[packages]/updates/5/ipsec-tools/current/SOURCES/ipsec-tools-0.8.2-CVE-2016-10396.patch
ViewVC logotype

Contents of /updates/5/ipsec-tools/current/SOURCES/ipsec-tools-0.8.2-CVE-2016-10396.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1186893 - (show annotations) (download)
Fri Dec 29 00:31:58 2017 UTC (17 months, 3 weeks ago) by luigiwalser
File size: 5805 byte(s)
add patch from ubuntu to fix CVE-2016-10396
1 Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
2 Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
3 Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
4
5 Index: pkg-ipsec-tools/src/racoon/isakmp_frag.c
6 ===================================================================
7 --- pkg-ipsec-tools.orig/src/racoon/isakmp_frag.c
8 +++ pkg-ipsec-tools/src/racoon/isakmp_frag.c
9 @@ -1,4 +1,4 @@
10 -/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */
11 +/* $NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */
12
13 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
14
15 @@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
16 return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
17 }
18
19 +static int
20 +isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
21 +{
22 + struct isakmp_frag_item *pitem = NULL;
23 + struct isakmp_frag_item *citem = iph1->frag_chain;
24 +
25 + /* no frag yet, just insert at beginning of list */
26 + if (iph1->frag_chain == NULL) {
27 + iph1->frag_chain = item;
28 + return 0;
29 + }
30 +
31 + do {
32 + /* duplicate fragment number, abort (CVE-2016-10396) */
33 + if (citem->frag_num == item->frag_num)
34 + return -1;
35 +
36 + /* need to insert before current item */
37 + if (citem->frag_num > item->frag_num) {
38 + if (pitem != NULL)
39 + pitem->frag_next = item;
40 + else
41 + /* insert at the beginning of the list */
42 + iph1->frag_chain = item;
43 + item->frag_next = citem;
44 + return 0;
45 + }
46 +
47 + pitem = citem;
48 + citem = citem->frag_next;
49 + } while (citem != NULL);
50 +
51 + /* we reached the end of the list, insert */
52 + pitem->frag_next = item;
53 + return 0;
54 +}
55 +
56 int
57 isakmp_frag_extract(iph1, msg)
58 struct ph1handle *iph1;
59 @@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
60 item->frag_next = NULL;
61 item->frag_packet = buf;
62
63 - /* Look for the last frag while inserting the new item in the chain */
64 - if (item->frag_last)
65 - last_frag = item->frag_num;
66 + /* Check for the last frag before inserting the new item in the chain */
67 + if (item->frag_last) {
68 + /* if we have the last fragment, indices must match */
69 + if (iph1->frag_last_index != 0 &&
70 + item->frag_last != iph1->frag_last_index) {
71 + plog(LLV_ERROR, LOCATION, NULL,
72 + "Repeated last fragment index mismatch\n");
73 + racoon_free(item);
74 + vfree(buf);
75 + return -1;
76 + }
77
78 - if (iph1->frag_chain == NULL) {
79 - iph1->frag_chain = item;
80 - } else {
81 - struct isakmp_frag_item *current;
82 + last_frag = iph1->frag_last_index = item->frag_num;
83 + }
84
85 - current = iph1->frag_chain;
86 - while (current->frag_next) {
87 - if (current->frag_last)
88 - last_frag = item->frag_num;
89 - current = current->frag_next;
90 - }
91 - current->frag_next = item;
92 + /* insert fragment into chain */
93 + if (isakmp_frag_insert(iph1, item) == -1) {
94 + plog(LLV_ERROR, LOCATION, NULL,
95 + "Repeated fragment index mismatch\n");
96 + racoon_free(item);
97 + vfree(buf);
98 + return -1;
99 }
100
101 - /* If we saw the last frag, check if the chain is complete */
102 + /* If we saw the last frag, check if the chain is complete
103 + * we have a sorted list now, so just walk through */
104 if (last_frag != 0) {
105 + item = iph1->frag_chain;
106 for (i = 1; i <= last_frag; i++) {
107 - item = iph1->frag_chain;
108 - do {
109 - if (item->frag_num == i)
110 - break;
111 - item = item->frag_next;
112 - } while (item != NULL);
113 -
114 + if (item->frag_num != i)
115 + break;
116 + item = item->frag_next;
117 if (item == NULL) /* Not found */
118 break;
119 }
120
121 - if (item != NULL) /* It is complete */
122 + if (i > last_frag) /* It is complete */
123 return 1;
124 }
125
126 @@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
127 }
128 data = buf->v;
129
130 + item = iph1->frag_chain;
131 for (i = 1; i <= frag_count; i++) {
132 - item = iph1->frag_chain;
133 - do {
134 - if (item->frag_num == i)
135 - break;
136 - item = item->frag_next;
137 - } while (item != NULL);
138 -
139 - if (item == NULL) {
140 + if (item->frag_num != i) {
141 plog(LLV_ERROR, LOCATION, NULL,
142 "Missing fragment #%d\n", i);
143 vfree(buf);
144 @@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
145 }
146 memcpy(data, item->frag_packet->v, item->frag_packet->l);
147 data += item->frag_packet->l;
148 + item = item->frag_next;
149 }
150
151 out:
152 Index: pkg-ipsec-tools/src/racoon/isakmp_inf.c
153 ===================================================================
154 --- pkg-ipsec-tools.orig/src/racoon/isakmp_inf.c
155 +++ pkg-ipsec-tools/src/racoon/isakmp_inf.c
156 @@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
157 #endif
158 #ifdef ENABLE_FRAG
159 iph1->frag = 0;
160 + iph1->frag_last_index = 0;
161 iph1->frag_chain = NULL;
162 #endif
163
164 Index: pkg-ipsec-tools/src/racoon/isakmp.c
165 ===================================================================
166 --- pkg-ipsec-tools.orig/src/racoon/isakmp.c
167 +++ pkg-ipsec-tools/src/racoon/isakmp.c
168 @@ -1072,6 +1072,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
169 iph1->frag = 1;
170 else
171 iph1->frag = 0;
172 + iph1->frag_last_index = 0;
173 iph1->frag_chain = NULL;
174 #endif
175 iph1->approval = NULL;
176 @@ -1176,6 +1177,7 @@ isakmp_ph1begin_r(msg, remote, local, et
177 #endif
178 #ifdef ENABLE_FRAG
179 iph1->frag = 0;
180 + iph1->frag_last_index = 0;
181 iph1->frag_chain = NULL;
182 #endif
183 iph1->approval = NULL;
184 Index: pkg-ipsec-tools/src/racoon/handler.h
185 ===================================================================
186 --- pkg-ipsec-tools.orig/src/racoon/handler.h
187 +++ pkg-ipsec-tools/src/racoon/handler.h
188 @@ -1,4 +1,4 @@
189 -/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */
190 +/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */
191
192 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
193
194 @@ -141,6 +141,7 @@ struct ph1handle {
195 #endif
196 #ifdef ENABLE_FRAG
197 int frag; /* IKE phase 1 fragmentation */
198 + int frag_last_index;
199 struct isakmp_frag_item *frag_chain; /* Received fragments */
200 #endif
201

  ViewVC Help
Powered by ViewVC 1.1.26