X-Git-Url: https://git.saurik.com/apple/ipsec.git/blobdiff_plain/d9c572c0d1634988834f2a68361f92bc7242cce4..674a30cecc483b9b8740e4571080bc9c8ddb6545:/ipsec-tools/racoon/isakmp_cfg.c

diff --git a/ipsec-tools/racoon/isakmp_cfg.c b/ipsec-tools/racoon/isakmp_cfg.c
index fbf4b9a..4308558 100644
--- a/ipsec-tools/racoon/isakmp_cfg.c
+++ b/ipsec-tools/racoon/isakmp_cfg.c
@@ -74,7 +74,6 @@
 #include <stdint.h>
 #endif
 #include <ctype.h>
-#include <resolv.h>
 
 #include "var.h"
 #include "misc.h"
@@ -187,7 +186,7 @@ isakmp_cfg_r(iph1, msg)
 		return;
 	}
 
-	plog(ASL_LEVEL_DEBUG, "MODE_CFG packet\n");
+	plog(ASL_LEVEL_NOTICE, "MODE_CFG packet\n");
 
 	/* Now work with the decrypted packet */
 	packet = (struct isakmp *)dmsg->v;
@@ -246,7 +245,7 @@ isakmp_cfg_r(iph1, msg)
 				goto out;
 			}
 
-			if (memcmp(ph + 1, check->v, check->l) != 0) {
+			if (timingsafe_bcmp(ph + 1, check->v, check->l) != 0) {
 				plog(ASL_LEVEL_ERR, 
 				    "Hash verification failed\n");
 				vfree(payload);
@@ -310,7 +309,7 @@ isakmp_cfg_attr_r(iph1, msgid, attrpl, msg)
 {
 	int type = attrpl->type;
 
-	plog(ASL_LEVEL_DEBUG, 
+	plog(ASL_LEVEL_NOTICE,
 	     "Configuration exchange type %s\n", s_isakmp_cfg_ptype(type));
 	switch (type) {
 	case ISAKMP_CFG_ACK:
@@ -364,6 +363,12 @@ isakmp_cfg_reply(iph1, attrpl)
 	tlen -= sizeof(*attrpl);
 
 	while (tlen > 0) {
+		if (tlen < sizeof(struct isakmp_data)) {
+			plog(ASL_LEVEL_ERR,
+				 "isakmp_cfg_reply invalid length of isakmp data, expected %zu actual %d\n",
+				 sizeof(struct isakmp_data), tlen);
+			return -1;
+		}
 		type = ntohs(attr->type);
 
 		/* Handle short attributes */
@@ -399,10 +404,10 @@ isakmp_cfg_reply(iph1, attrpl)
 		alen = ntohs(attr->lorv);
 
 		/* Check that the attribute fit in the packet */
-		if (tlen < alen) {
-			plog(ASL_LEVEL_ERR, 
-			     "Short attribute %s\n",
-			     s_isakmp_cfg_type(type));
+		if (tlen < (alen + sizeof(struct isakmp_data))) {
+			plog(ASL_LEVEL_ERR,
+				 "Short attribute %s len %zu\n",
+				 s_isakmp_cfg_type(type), alen);
 			return -1;
 		}
 
@@ -572,6 +577,12 @@ isakmp_cfg_request(iph1, attrpl, msg)
 	memset(payload->v, 0, sizeof(*reply));
 	
 	while (tlen > 0) {
+		if (tlen < sizeof(struct isakmp_data)) {
+			plog(ASL_LEVEL_ERR,
+				 "isakmp_cfg_request invalid length of isakmp data, expected %zu actual %d\n",
+				 sizeof(struct isakmp_data), tlen);
+			goto end;
+		}
 		reply_attr = NULL;
 		type = ntohs(attr->type);
 
@@ -609,10 +620,10 @@ isakmp_cfg_request(iph1, attrpl, msg)
 		alen = ntohs(attr->lorv);
 
 		/* Check that the attribute fit in the packet */
-		if (tlen < alen) {
-			plog(ASL_LEVEL_ERR, 
-			     "Short attribute %s\n",
-			     s_isakmp_cfg_type(type));
+		if (tlen < (sizeof(struct isakmp_data) + alen)) {
+			plog(ASL_LEVEL_ERR,
+				 "Short attribute %s len %zu\n",
+				 s_isakmp_cfg_type(type), alen);
 			goto end;
 		}
 
@@ -684,7 +695,7 @@ isakmp_cfg_request(iph1, attrpl, msg)
 	reply->type = ISAKMP_CFG_REPLY;
 	reply->id = attrpl->id;
 
-	plog(ASL_LEVEL_DEBUG, 
+	plog(ASL_LEVEL_NOTICE,
 		    "Sending MODE_CFG REPLY\n");
 
 	error = isakmp_cfg_send(iph1, payload, 
@@ -727,6 +738,13 @@ isakmp_cfg_set(iph1, attrpl, msg)
 	 * We should send ack for the attributes we accepted 
 	 */
 	while (tlen > 0) {
+		if (tlen < sizeof(struct isakmp_data)) {
+			plog(ASL_LEVEL_ERR,
+				 "isakmp_cfg_set invalid length of isakmp data, expected %zu actual %d\n",
+				 sizeof(struct isakmp_data), tlen);
+			vfree(payload);
+			return error;
+		}
 		reply_attr = NULL;
 		type = ntohs(attr->type);
 
@@ -759,6 +777,13 @@ isakmp_cfg_set(iph1, attrpl, msg)
 			attr++;
 		} else {
 			alen = ntohs(attr->lorv);
+			if (tlen < (sizeof(*attr) + alen)) {
+				plog(ASL_LEVEL_ERR,
+					 "isakmp_cfg_set packet too short for type %d, expected %zu actual %zu\n",
+					 type, alen, tlen - sizeof(*attr));
+				vfree(payload);
+				return error;
+			}
 			tlen -= (sizeof(*attr) + alen);
 			npp = (char *)attr;
 			attr = (struct isakmp_data *)
@@ -771,7 +796,7 @@ isakmp_cfg_set(iph1, attrpl, msg)
 	reply->type = ISAKMP_CFG_ACK;
 	reply->id = attrpl->id;
 
-	plog(ASL_LEVEL_DEBUG, 
+	plog(ASL_LEVEL_NOTICE,
 		     "Sending MODE_CFG ACK\n");
 
 	error = isakmp_cfg_send(iph1, payload, 
@@ -1261,7 +1286,7 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg)
 	isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1);
 #endif
 	
-	plog(ASL_LEVEL_DEBUG, "MODE_CFG packet to send\n");
+	plog(ASL_LEVEL_NOTICE, "MODE_CFG packet to send\n");
 
 	/* encoding */
 	if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) {
@@ -1311,7 +1336,7 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg)
                }
        }
     
-	plog(ASL_LEVEL_DEBUG, 
+	plog(ASL_LEVEL_NOTICE,
 		"sendto mode config %s.\n", s_isakmp_nptype(np));
 
 	/*
@@ -1421,7 +1446,7 @@ isakmp_cfg_getport(iph1)
 
 	isakmp_cfg_config.port_pool[i].used = 1;
 
-	plog(ASL_LEVEL_INFO, "Using port %d\n", i);
+	plog(ASL_LEVEL_NOTICE, "Using port %d\n", i);
 
 	iph1->mode_cfg->flags |= ISAKMP_CFG_PORT_ALLOCATED;
 	iph1->mode_cfg->port = i;
@@ -1450,7 +1475,7 @@ isakmp_cfg_putport(iph1, index)
 	isakmp_cfg_config.port_pool[index].used = 0;
 	iph1->mode_cfg->flags &= ISAKMP_CFG_PORT_ALLOCATED;
 
-	plog(ASL_LEVEL_INFO, "Released port %d\n", index);
+	plog(ASL_LEVEL_NOTICE, "Released port %d\n", index);
 
 	return 0;
 }
@@ -1534,7 +1559,7 @@ isakmp_cfg_getconfig(iph1)
 		}
 	}
 
-	plog(ASL_LEVEL_DEBUG, 
+	plog(ASL_LEVEL_NOTICE,
 		    "Sending MODE_CFG REQUEST\n");
 
 	error = isakmp_cfg_send(iph1, buffer,
@@ -1657,7 +1682,7 @@ isakmp_cfg_resize_pool(size)
 	if (size == isakmp_cfg_config.pool_size)
 		return 0;
 
-	plog(ASL_LEVEL_INFO, 
+	plog(ASL_LEVEL_NOTICE,
 	    "Resize address pool from %zu to %d\n",
 	    isakmp_cfg_config.pool_size, size);