From 8dbe128c8c896763e13e1719bfc705aae783e4b1 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 16 Sep 2014 15:51:21 +0200
Subject: message: Limit maximum number of IKEv2 fragments

The maximum for IKEv1 is already 255 due to the 8-bit fragment number.

With an overhead of 17 bytes (x64) per fragment and a default maximum
of 10000 bytes per packet the maximum memory required is 14 kB
for a fragmented message.
---
 src/libcharon/encoding/message.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'src/libcharon/encoding')

diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 5e5647dd6..cb6c97f25 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -930,6 +930,11 @@ struct private_message_t {
 	fragment_data_t *frag;
 };
 
+/**
+ * Maximum number of fragments we will handle
+ */
+#define MAX_FRAGMENTS 255
+
 /**
  * A single fragment within a fragmented message
  */
@@ -2779,7 +2784,12 @@ METHOD(message_t, add_fragment_v2, status_t,
 	}
 	encrypted_fragment = (encrypted_fragment_payload_t*)payload;
 	total = encrypted_fragment->get_total_fragments(encrypted_fragment);
-
+	if (total > MAX_FRAGMENTS)
+	{
+		DBG1(DBG_IKE, "maximum fragment count exceeded");
+		reset_defrag(this);
+		return FAILED;
+	}
 	if (!this->fragments || total > this->frag->last)
 	{
 		reset_defrag(this);
-- 
cgit v1.2.3