6 files changed, 66 insertions, 15 deletions

diff --git a/NEWS b/NEWS
index 2bad2172c..7b7891e8c 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,14 @@
+strongswan-4.2.16
+-----------------
+
+- Applying their fuzzing tool, the Orange Labs vulnerability research team
+  found another two DoS vulnerabilities, one in the rather old ASN.1 parser
+  of Relative Distinguished Names (RDNs) and a second one in the conversion
+  of ASN.1 UTCTIME and GENERALIZEDTIME strings to a time_t value.
+  Malformed X.509 certificate RDNs or timestamps can cause the pluto IKE
+  daemon to crash and restart.
+
+
 strongswan-4.2.15
 -----------------
 
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index 85695bbea..e45e6cae9 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -261,6 +261,11 @@ u_int asn1_length(chunk_t *blob)
 		len = 256*len + *blob->ptr++;
 		blob->len--;
 	}
+	if (len > blob->len)
+	{
+		DBG2("length is larger than remaining blob size");
+		return ASN1_INVALID_LENGTH;
+	}
 	return len;
 }
 
@@ -283,14 +288,20 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 	{
 		int tz_hour, tz_min;
 	
-		sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+		if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+		{
+			return 0; /* error in positive timezone offset format */
+		}
 		tz_offset = 3600*tz_hour + 60*tz_min;  /* positive time zone offset */
 	}
 	else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
 	{
 		int tz_hour, tz_min;
 	
-		sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+		if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+		{
+			return 0; /* error in negative timezone offset format */
+		}
 		tz_offset = -3600*tz_hour - 60*tz_min;  /* negative time zone offset */
 	}
 	else
@@ -303,14 +314,20 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 		const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
 													 "%4d%2d%2d%2d%2d";
 	
-		sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
-			   						 &t.tm_hour, &t.tm_min);
+		if (sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
+										 &t.tm_hour, &t.tm_min) != 5)
+		{
+			return 0; /* error in time st [yy]yymmddhhmm time format */
+		}
 	}
 	
 	/* is there a seconds field? */
 	if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
 	{
-		sscanf(eot-2, "%2d", &t.tm_sec);
+		if (sscanf(eot-2, "%2d", &t.tm_sec) != 1)
+		{
+			return 0; /* error in ss seconds field format */
+		}
 	}
 	else
 	{
diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c
index 68c5e7307..a57f9adc6 100644
--- a/src/libstrongswan/asn1/asn1_parser.c
+++ b/src/libstrongswan/asn1/asn1_parser.c
@@ -160,7 +160,7 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
 	
 	blob1->len = asn1_length(blob);
 	
-	if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+	if (blob1->len == ASN1_INVALID_LENGTH)
 	{
 		DBG1("L%d - %s:  length of ASN.1 object invalid or too large", 
 					level, obj.name);
diff --git a/src/pluto/asn1.c b/src/pluto/asn1.c
index 30a0dba23..ac93a89e0 100644
--- a/src/pluto/asn1.c
+++ b/src/pluto/asn1.c
@@ -191,6 +191,13 @@ asn1_length(chunk_t *blob)
 	len = 256*len + *blob->ptr++;
 	blob->len--;
     }
+    if (len > blob->len)
+    {
+	DBG(DBG_PARSING,
+	    DBG_log("length is larger than remaining blob size")
+	)
+	return ASN1_INVALID_LENGTH;
+    }
     return len;
 }
 
@@ -368,14 +375,20 @@ asn1totime(const chunk_t *utctime, asn1_t type)
     {
 	int tz_hour, tz_min;
 
-	sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+	if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+	{
+	    return 0; /* error in positive timezone offset format */
+	}
 	tz_offset = 3600*tz_hour + 60*tz_min;  /* positive time zone offset */
     }
     else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
     {
 	int tz_hour, tz_min;
 
-	sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+	if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+	{
+	    return 0; /* error in negative timezone offset format */
+	}
 	tz_offset = -3600*tz_hour - 60*tz_min;  /* negative time zone offset */
     }
     else
@@ -388,14 +401,20 @@ asn1totime(const chunk_t *utctime, asn1_t type)
 	const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
 						     "%4d%2d%2d%2d%2d";
 
-	sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
-				     &t.tm_hour, &t.tm_min);
-    }
+	if (sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
+					 &t.tm_hour, &t.tm_min) != 5)
+	{
+	    return 0; /* error in time st [yy]yymmddhhmm time format */
+	}
+   }
 
     /* is there a seconds field? */
     if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
     {
-	sscanf(eot-2, "%2d", &t.tm_sec);
+	if (sscanf(eot-2, "%2d", &t.tm_sec) != 1)
+	{
+	    return 0; /* error in ss seconds field format */
+	}
     }
     else
     {
@@ -592,7 +611,7 @@ extract_object(asn1Object_t const *objects,
 
     blob1->len = asn1_length(blob);
 
-    if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+    if (blob1->len == ASN1_INVALID_LENGTH)
     {
 	DBG(DBG_PARSING,
 	    DBG_log("L%d - %s:  length of ASN.1 object invalid or too large",
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index a85f5e030..6bca0b58e 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -206,7 +206,8 @@ static struct vid_struct _vid_tab[] = {
 	/*
 	 * strongSwan
 	 */
-	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.2.15")
+	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.2.16")
+	DEC_MD5_VID(STRONGSWAN_4_2_15,"strongSwan 4.2.15")
 	DEC_MD5_VID(STRONGSWAN_4_2_14,"strongSwan 4.2.14")
 	DEC_MD5_VID(STRONGSWAN_4_2_13,"strongSwan 4.2.13")
 	DEC_MD5_VID(STRONGSWAN_4_2_12,"strongSwan 4.2.12")
@@ -243,7 +244,8 @@ static struct vid_struct _vid_tab[] = {
 	DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
 	DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")
 
-	DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.9")
+	DEC_MD5_VID(STRONGSWAN_2_8_10,"strongSwan 2.8.10")
+	DEC_MD5_VID(STRONGSWAN_2_8_9, "strongSwan 2.8.9")
 	DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.8")
 	DEC_MD5_VID(STRONGSWAN_2_8_7, "strongSwan 2.8.7")
 	DEC_MD5_VID(STRONGSWAN_2_8_6, "strongSwan 2.8.6")
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index 2d053801f..f6250a628 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -95,6 +95,7 @@ enum known_vendorid {
   VID_STRONGSWAN_2_8_7		= 73,
   VID_STRONGSWAN_2_8_8		= 74,
   VID_STRONGSWAN_2_8_9		= 75,
+  VID_STRONGSWAN_2_8_10		= 76,
 
   VID_STRONGSWAN_4_0_0		= 80,
   VID_STRONGSWAN_4_0_1		= 81,
@@ -132,6 +133,7 @@ enum known_vendorid {
   VID_STRONGSWAN_4_2_12		=112,
   VID_STRONGSWAN_4_2_13		=113,
   VID_STRONGSWAN_4_2_14		=114,
+  VID_STRONGSWAN_4_2_15		=115,
 
   /* 101 - 200 : NAT-Traversal */
   VID_NATT_STENBERG_01		=151,