Apply by doing: cd /usr/src patch -p0 < 015_isakmpd2.patch Then rebuild and install isakmpd: cd sbin/isakmpd make clean make depend make make install Index: sbin/isakmpd/doi.h =================================================================== RCS file: /cvs/src/sbin/isakmpd/doi.h,v retrieving revision 1.11 retrieving revision 1.11.2.1 diff -u -p -r1.11 -r1.11.2.1 --- sbin/isakmpd/doi.h 3 Jun 2003 14:28:16 -0000 1.11 +++ sbin/isakmpd/doi.h 17 Mar 2004 14:59:17 -0000 1.11.2.1 @@ -83,7 +83,7 @@ struct doi { int (*validate_key_information) (u_int8_t *, size_t); int (*validate_notification) (u_int16_t); int (*validate_proto) (u_int8_t); - int (*validate_situation) (u_int8_t *, size_t *); + int (*validate_situation) (u_int8_t *, size_t *, size_t); int (*validate_transform_id) (u_int8_t, u_int8_t); int (*initiator) (struct message *msg); int (*responder) (struct message *msg); Index: sbin/isakmpd/ike_quick_mode.c =================================================================== RCS file: /cvs/src/sbin/isakmpd/ike_quick_mode.c,v retrieving revision 1.70 retrieving revision 1.70.2.1 diff -u -p -r1.70 -r1.70.2.1 --- sbin/isakmpd/ike_quick_mode.c 10 Jun 2003 16:41:29 -0000 1.70 +++ sbin/isakmpd/ike_quick_mode.c 17 Mar 2004 14:59:17 -0000 1.70.2.1 @@ -1163,12 +1163,18 @@ initiator_recv_HASH_SA_NONCE (struct mes if (!ie->id_ci || !ie->id_cr) { - log_error ("initiator_recv_HASH_SA_NONCE: malloc (%lu) failed", - (unsigned long)ie->id_cr_sz); + log_error ("initiator_recv_HASH_SA_NONCE: calloc (%lu, %lu) failed", + (unsigned long)ie->id_cr_sz, (unsigned long)sizeof (char)); if (ie->id_ci) - free (ie->id_ci); + { + free (ie->id_ci); + ie->id_ci = 0; + } if (ie->id_cr) - free (ie->id_cr); + { + free (ie->id_cr); + ie->id_cr = 0; + } return -1; } @@ -1176,7 +1182,9 @@ initiator_recv_HASH_SA_NONCE (struct mes { log_error ("initiator_recv_HASH_SA_NONCE: sa_family mismatch"); free (ie->id_ci); + ie->id_ci = 0; free (ie->id_cr); + ie->id_cr = 0; return -1; } @@ -1196,7 +1204,9 @@ initiator_recv_HASH_SA_NONCE (struct mes log_error ("initiator_recv_HASH_SA_NONCE: unknown sa_family %d", src->sa_family); free (ie->id_ci); + ie->id_ci = 0; free (ie->id_cr); + ie->id_cr = 0; return -1; } memcpy (ie->id_ci + ISAKMP_ID_DATA_OFF, sockaddr_addrdata (src), @@ -1744,9 +1754,15 @@ cleanup: if (my_hash) free (my_hash); if (ie->id_ci) - free (ie->id_ci); + { + free (ie->id_ci); + ie->id_ci = 0; + } if (ie->id_cr) - free (ie->id_cr); + { + free (ie->id_cr); + ie->id_cr = 0; + } return -1; } Index: sbin/isakmpd/ipsec.c =================================================================== RCS file: /cvs/src/sbin/isakmpd/ipsec.c,v retrieving revision 1.80.2.1 retrieving revision 1.80.2.2 diff -u -p -r1.80.2.1 -r1.80.2.2 --- sbin/isakmpd/ipsec.c 13 Jan 2004 22:50:07 -0000 1.80.2.1 +++ sbin/isakmpd/ipsec.c 17 Mar 2004 14:59:17 -0000 1.80.2.2 @@ -122,7 +122,7 @@ static int ipsec_validate_id_information static int ipsec_validate_key_information (u_int8_t *, size_t); static int ipsec_validate_notification (u_int16_t); static int ipsec_validate_proto (u_int8_t); -static int ipsec_validate_situation (u_int8_t *, size_t *); +static int ipsec_validate_situation (u_int8_t *, size_t *, size_t); static int ipsec_validate_transform_id (u_int8_t, u_int8_t); static struct doi ipsec_doi = { @@ -853,35 +853,21 @@ ipsec_validate_proto (u_int8_t proto) } static int -ipsec_validate_situation (u_int8_t *buf, size_t *sz) +ipsec_validate_situation (u_int8_t *buf, size_t *sz, size_t len) { - int sit = GET_IPSEC_SIT_SIT (buf); - int off; - - if (sit & (IPSEC_SIT_SECRECY | IPSEC_SIT_INTEGRITY)) - { - /* - * XXX All the roundups below, round up to 32 bit boundaries given - * that the situation field is aligned. This is not necessarily so, - * but I interpret the drafts as this is like this they want it. - */ - off = ROUNDUP_32 (GET_IPSEC_SIT_SECRECY_LENGTH (buf)); - off += ROUNDUP_32 (GET_IPSEC_SIT_SECRECY_CAT_LENGTH (buf + off)); - off += ROUNDUP_32 (GET_IPSEC_SIT_INTEGRITY_LENGTH (buf + off)); - off += ROUNDUP_32 (GET_IPSEC_SIT_INTEGRITY_CAT_LENGTH (buf + off)); - *sz = off + IPSEC_SIT_SZ; + if (len < IPSEC_SIT_SIT_OFF + IPSEC_SIT_SIT_LEN) + { + log_print ("ipsec_validate_situation: payload too short: %u", + (unsigned int)len); + return -1; } - else - *sz = IPSEC_SIT_SIT_LEN; /* Currently only "identity only" situations are supported. */ -#ifdef notdef - return - sit & ~(IPSEC_SIT_IDENTITY_ONLY | IPSEC_SIT_SECRECY | IPSEC_SIT_INTEGRITY); -#else - return sit & ~IPSEC_SIT_IDENTITY_ONLY; -#endif + if (GET_IPSEC_SIT_SIT (buf) != IPSEC_SIT_IDENTITY_ONLY) return 1; + + *sz = IPSEC_SIT_SIT_LEN; + return 0; } Index: sbin/isakmpd/isakmp_cfg.c =================================================================== RCS file: /cvs/src/sbin/isakmpd/isakmp_cfg.c,v retrieving revision 1.25 retrieving revision 1.25.2.1 diff -u -p -r1.25 -r1.25.2.1 --- sbin/isakmpd/isakmp_cfg.c 10 Jun 2003 16:41:29 -0000 1.25 +++ sbin/isakmpd/isakmp_cfg.c 17 Mar 2004 14:59:17 -0000 1.25.2.1 @@ -355,6 +355,8 @@ cfg_initiator_send_ATTR (struct message SET_ISAKMP_ATTR_LENGTH_VALUE (attr, length); memcpy (attr + ISAKMP_ATTR_VALUE_OFF, sockaddr_addrdata (sa), length); + + free (sa); off += ISAKMP_ATTR_SZ + length; } Index: sbin/isakmpd/isakmp_doi.c =================================================================== RCS file: /cvs/src/sbin/isakmpd/isakmp_doi.c,v retrieving revision 1.16 retrieving revision 1.16.2.1 diff -u -p -r1.16 -r1.16.2.1 --- sbin/isakmpd/isakmp_doi.c 8 Aug 2003 08:46:59 -0000 1.16 +++ sbin/isakmpd/isakmp_doi.c 17 Mar 2004 14:59:17 -0000 1.16.2.1 @@ -67,7 +67,7 @@ static int isakmp_validate_id_informatio static int isakmp_validate_key_information (u_int8_t *, size_t); static int isakmp_validate_notification (u_int16_t); static int isakmp_validate_proto (u_int8_t); -static int isakmp_validate_situation (u_int8_t *, size_t *); +static int isakmp_validate_situation (u_int8_t *, size_t *, size_t); static int isakmp_validate_transform_id (u_int8_t, u_int8_t); static struct doi isakmp_doi = { @@ -197,7 +197,7 @@ isakmp_validate_proto (u_int8_t proto) } static int -isakmp_validate_situation (u_int8_t *buf, size_t *sz) +isakmp_validate_situation (u_int8_t *buf, size_t *sz, size_t len) { /* There are no situations in the ISAKMP DOI. */ *sz = 0; Index: sbin/isakmpd/message.c =================================================================== RCS file: /cvs/src/sbin/isakmpd/message.c,v retrieving revision 1.61.2.1 retrieving revision 1.61.2.2 diff -u -p -r1.61.2.1 -r1.61.2.2 --- sbin/isakmpd/message.c 13 Jan 2004 22:50:07 -0000 1.61.2.1 +++ sbin/isakmpd/message.c 17 Mar 2004 14:59:18 -0000 1.61.2.2 @@ -110,6 +110,13 @@ static struct field *fields[] = { isakmp_vendor_fld, isakmp_attribute_fld }; +static u_int16_t min_payload_lengths[] = { + 0, ISAKMP_SA_SZ, ISAKMP_PROP_SZ, ISAKMP_TRANSFORM_SZ, ISAKMP_KE_SZ, + ISAKMP_ID_SZ, ISAKMP_CERT_SZ, ISAKMP_CERTREQ_SZ, ISAKMP_HASH_SZ, + ISAKMP_SIG_SZ, ISAKMP_NONCE_SZ, ISAKMP_NOTIFY_SZ, ISAKMP_DELETE_SZ, + ISAKMP_VENDOR_SZ, ISAKMP_ATTRIBUTE_SZ +}; + /* * Fields used for checking monotonic increasing of proposal and transform * numbers. @@ -283,10 +290,25 @@ message_parse_payloads (struct message * } /* - * Decode the payload length field. + * Decode and validate the payload length field. */ len = GET_ISAKMP_GEN_LENGTH (buf); + if ((payload < ISAKMP_PAYLOAD_RESERVED_MIN) + && (len < min_payload_lengths[payload])) + { + log_print ("message_parse_payloads: payload too short: %u", len); + message_drop (msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); + return -1; + } + + if (buf + len > (u_int8_t *)msg->iov[0].iov_base + msg->iov[0].iov_len) + { + log_print ("message_parse_payloads: payload too long: %u", len); + message_drop (msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); + return -1; + } + /* Ignore private payloads. */ if (next >= ISAKMP_PAYLOAD_PRIVATE_MIN) { @@ -550,8 +572,9 @@ message_validate_hash (struct message *m if (isakmp_sa == NULL) { - log_print ("message_validate_hash: invalid hash information"); - return -1; + log_print ("message_validate_hash: invalid hash information"); + message_drop (msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 1); + return -1; } isa = isakmp_sa->data; @@ -559,14 +582,16 @@ message_validate_hash (struct message *m if (hash == NULL) { - log_print ("message_validate_hash: invalid hash information"); - return -1; + log_print ("message_validate_hash: invalid hash information"); + message_drop (msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 1); + return -1; } /* If no SKEYID_a, we can not do anything (should not happen). */ if (!isa->skeyid_a) { log_print ("message_validate_hash: invalid hash information"); + message_drop (msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 1); return -1; } @@ -575,7 +600,10 @@ message_validate_hash (struct message *m isa->skeyid_len)); prf = prf_alloc (isa->prf_type, hash->type, isa->skeyid_a, isa->skeyid_len); if (!prf) - return -1; + { + message_free (msg); + return -1; + } comp_hash = (u_int8_t *)malloc (hash->hashsize); if (!comp_hash) @@ -583,6 +611,7 @@ message_validate_hash (struct message *m log_error ("message_validate_hash: malloc (%lu) failed", (unsigned long)hash->hashsize); prf_free (prf); + message_free (msg); return -1; } @@ -867,7 +896,8 @@ message_validate_sa (struct message *msg * Let the DOI validate the situation, at the same time it tells us what * the length of the situation field is. */ - if (exchange->doi->validate_situation (p->p + ISAKMP_SA_SIT_OFF, &len)) + if (exchange->doi->validate_situation (p->p + ISAKMP_SA_SIT_OFF, &len, + GET_ISAKMP_GEN_LENGTH (p->p) - ISAKMP_SA_SIT_OFF)) { log_print ("message_validate_sa: situation not supported"); message_drop (msg, ISAKMP_NOTIFY_SITUATION_NOT_SUPPORTED, 0, 1, 1); @@ -1256,6 +1286,7 @@ message_recv (struct message *msg) { LOG_DBG ((LOG_MISC, 10, "message_recv: no isakmp_sa for encrypted message")); + message_free (msg); return -1; } @@ -1710,6 +1741,9 @@ message_drop (struct message *msg, int n log_print ("dropped message from %s port %d due to notification type %s", address ? address : "", htons(port), constant_name (isakmp_notify_cst, notify)); + + if (address) + free (address); /* If specified, return a notification. */ if (notify) Index: sbin/isakmpd/util.h =================================================================== RCS file: /cvs/src/sbin/isakmpd/util.h,v retrieving revision 1.15 retrieving revision 1.15.2.1 diff -u -p -r1.15 -r1.15.2.1 --- sbin/isakmpd/util.h 3 Jun 2003 14:28:16 -0000 1.15 +++ sbin/isakmpd/util.h 17 Mar 2004 14:59:18 -0000 1.15.2.1 @@ -34,8 +34,6 @@ #define _UTIL_H_ #include - -#define ROUNDUP_32(x) (((x) + 3) & ~4) extern int allow_name_lookups; extern int regrand;