diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2012-12-12 18:29:31 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2012-12-24 12:29:27 +0100 |
| commit | 8fc8383439675456e83e9aae5350124ab5758ea1 (patch) | |
| tree | e5e078724ec7d91412e24779c8624df4705812b6 /src/libcharon | |
| parent | 7d85f94165c73031e2567da762183fc28c3bbcce (diff) | |
| download | strongswan-8fc8383439675456e83e9aae5350124ab5758ea1.tar.bz2 strongswan-8fc8383439675456e83e9aae5350124ab5758ea1.tar.xz | |
Don't handle fragmented messages larger than charon.max_packet
Diffstat (limited to 'src/libcharon')
| -rw-r--r-- | src/libcharon/sa/ikev1/task_manager_v1.c | 43 |
1 files changed, 39 insertions, 4 deletions
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c index 5ba12e7ec..80d2b6d80 100644 --- a/src/libcharon/sa/ikev1/task_manager_v1.c +++ b/src/libcharon/sa/ikev1/task_manager_v1.c @@ -39,6 +39,7 @@ #include <processing/jobs/process_message_job.h> #include <encoding/payloads/fragment_payload.h> +#include <bio/bio_writer.h> /** * Number of old messages hashes we keep for retransmission. @@ -50,6 +51,11 @@ #define MAX_OLD_HASHES 2 /** + * Maximum packet size for fragmented packets (same as in sockets) + */ +#define MAX_PACKET 10000 + +/** * First sequence number of responding packets. * * To distinguish retransmission jobs for initiating and responding packets, @@ -191,6 +197,16 @@ struct private_task_manager_t { */ linked_list_t *list; + /** + * Length of all currently received fragments + */ + size_t len; + + /** + * Maximum length of a fragmented packet + */ + size_t max_packet; + } frag; /** @@ -263,6 +279,7 @@ static void clear_fragments(private_task_manager_t *this, u_int16_t id) DESTROY_FUNCTION_IF(this->frag.list, (void*)fragment_destroy); this->frag.list = NULL; this->frag.last = 0; + this->frag.len = 0; this->frag.id = id; } @@ -1098,6 +1115,7 @@ static status_t handle_fragment(private_task_manager_t *this, message_t *msg) enumerator_t *enumerator; fragment_t *fragment; status_t status = SUCCESS; + chunk_t data; u_int8_t num; payload = (fragment_payload_t*)msg->get_payload(msg, FRAGMENT_V1); @@ -1133,9 +1151,19 @@ static status_t handle_fragment(private_task_manager_t *this, message_t *msg) } } + data = payload->get_data(payload); + this->frag.len += data.len; + if (this->frag.len > this->frag.max_packet) + { + DBG1(DBG_IKE, "fragmented IKE message is too large"); + enumerator->destroy(enumerator); + clear_fragments(this, 0); + return FAILED; + } + INIT(fragment, .num = num, - .data = chunk_clone(payload->get_data(payload)), + .data = chunk_clone(data), ); this->frag.list->insert_before(this->frag.list, enumerator, fragment); @@ -1145,21 +1173,24 @@ static status_t handle_fragment(private_task_manager_t *this, message_t *msg) { message_t *message; packet_t *pkt; - chunk_t data = chunk_empty; host_t *src, *dst; + bio_writer_t *writer; + writer = bio_writer_create(this->frag.len); DBG1(DBG_IKE, "received fragment #%hhu, reassembling fragmented IKE " "message", num); enumerator = this->frag.list->create_enumerator(this->frag.list); while (enumerator->enumerate(enumerator, &fragment)) { - data = chunk_cat("mc", data, fragment->data); + writer->write_data(writer, fragment->data); } enumerator->destroy(enumerator); src = msg->get_source(msg); dst = msg->get_destination(msg); - pkt = packet_create_from_data(src->clone(src), dst->clone(dst), data); + pkt = packet_create_from_data(src->clone(src), dst->clone(dst), + writer->extract_buf(writer)); + writer->destroy(writer); message = message_create_from_packet(pkt); if (message->parse_header(message) != SUCCESS) @@ -1850,6 +1881,10 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa) .responding = { .seqnr = RESPONDING_SEQ, }, + .frag = { + .max_packet = lib->settings->get_int(lib->settings, + "%s.max_packet", MAX_PACKET, charon->name), + }, .ike_sa = ike_sa, .rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK), .queued_tasks = linked_list_create(), |