network_cmds-245.8.tar.gz

diff --git a/alias/alias.c b/alias/alias.c
index 561245a16caadc1490dc032a4bb06c2895e404ad..53273abe14aa96c3d6a81e800e53f7b121175db3 100644 (file)
--- a/alias/alias.c
+++ b/alias/alias.c
@@ -212,9 +212,11 @@ static void DoMSSClamp(struct tcphdr *tc)
                     if (packetAliasMSS < mssVal)
                     {
                         int accumulate = mssVal;
+                       int accnetorder = 0 ;
                         accumulate -= packetAliasMSS;
                         *mssPtr = htons(packetAliasMSS);
-                        ADJUST_CHECKSUM(accumulate, tc->th_sum);
+                       accnetorder = htons(accumulate);
+                        ADJUST_CHECKSUM(accnetorder, tc->th_sum);
                     }
 
                     option = optionEnd;

diff --git a/racoon.tproj/isakmp.c b/racoon.tproj/isakmp.c
index e188b3dcda9dff71a9779090cb55e466bad16266..48c296769ce9952866c88ba50bf8bdc3c52e2eaf 100644 (file)
--- a/racoon.tproj/isakmp.c
+++ b/racoon.tproj/isakmp.c
@@ -1357,7 +1357,7 @@ isakmp_parsewoh(np0, gen, len)
 
                p->type = np;
                p->len = ntohs(gen->len);
-               if (p->len == 0 || p->len > tlen) {
+               if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) {
                        plog(LLV_DEBUG, LOCATION, NULL,
                                "invalid length of payload\n");
                        vfree(result);

diff --git a/racoon.tproj/isakmp_agg.c b/racoon.tproj/isakmp_agg.c
index 709410108841f9c9d2f24c7a65bb7978ee2d8241..7d31b9f3e0034535287d1e286c86971600a44d0c 100644 (file)
--- a/racoon.tproj/isakmp_agg.c
+++ b/racoon.tproj/isakmp_agg.c
@@ -705,17 +705,10 @@ agg_i2send(iph1, msg)
 
 #ifdef IKE_NAT_T
        if (natd_type) {
-               if ((iph1->natt_flags & NATT_TYPE_MASK) == natt_type_apple) {
-                       if (iph1->local_natd)
-                               p = set_isakmp_payload(p, iph1->local_natd, natd_type);
-                       if (iph1->remote_natd)
-                               p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE);
-               } else {
-                       if (iph1->remote_natd)
-                               p = set_isakmp_payload(p, iph1->remote_natd, natd_type);
-                       if (iph1->local_natd)
-                               p = set_isakmp_payload(p, iph1->local_natd, ISAKMP_NPTYPE_NONE);
-               }
+               if (iph1->local_natd)
+                       p = set_isakmp_payload(p, iph1->local_natd, natd_type);
+               if (iph1->remote_natd)
+                       p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE);
        }
 #endif
 
@@ -1162,17 +1155,10 @@ agg_r1send(iph1, msg)
 #ifdef IKE_NAT_T
                if (nattvid) {
                        p = set_isakmp_payload(p, nattvid, iph1->natd_payload_type);
-                       if ((iph1->natt_flags & NATT_TYPE_MASK) == natt_type_apple) {
-                               if (iph1->local_natd)
-                                       p = set_isakmp_payload(p, iph1->local_natd, iph1->natd_payload_type);
-                               if (iph1->remote_natd)
-                                       p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE);
-                       } else {
-                               if (iph1->remote_natd)
-                                       p = set_isakmp_payload(p, iph1->remote_natd, iph1->natd_payload_type);
-                               if (iph1->local_natd)
-                                       p = set_isakmp_payload(p, iph1->local_natd, ISAKMP_NPTYPE_NONE);
-                       }
+                       if (iph1->local_natd)
+                               p = set_isakmp_payload(p, iph1->local_natd, iph1->natd_payload_type);
+                       if (iph1->remote_natd)
+                               p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE);
                }
 #endif
                break;
@@ -1256,17 +1242,10 @@ agg_r1send(iph1, msg)
 #ifdef IKE_NAT_T
        if (nattvid) {
                p = set_isakmp_payload(p, nattvid, iph1->natd_payload_type);
-               if ((iph1->natt_flags & NATT_TYPE_MASK) == natt_type_apple) {
-                       if (iph1->local_natd)
-                               p = set_isakmp_payload(p, iph1->local_natd, iph1->natd_payload_type);
-                       if (iph1->remote_natd)
-                               p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE);
-               } else {
-                       if (iph1->remote_natd)
-                               p = set_isakmp_payload(p, iph1->remote_natd, iph1->natd_payload_type);
-                       if (iph1->local_natd)
-                               p = set_isakmp_payload(p, iph1->local_natd, ISAKMP_NPTYPE_NONE);
-               }               
+               if (iph1->local_natd)
+                       p = set_isakmp_payload(p, iph1->local_natd, iph1->natd_payload_type);
+               if (iph1->remote_natd)
+                       p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE);
        }
 #endif
 

diff --git a/racoon.tproj/isakmp_ident.c b/racoon.tproj/isakmp_ident.c
index 6ed424f31c7a443a394b00bf7ba88ff1313d943c..ca55619129ca50d3c357a221d748f9a1bc155ba3 100644 (file)
--- a/racoon.tproj/isakmp_ident.c
+++ b/racoon.tproj/isakmp_ident.c
@@ -1649,17 +1649,10 @@ ident_ir2mx(iph1)
 
 #ifdef IKE_NAT_T
        if (natd_type) {
-               if ((iph1->natt_flags & NATT_TYPE_MASK) == natt_type_apple) {
-                       if (iph1->local_natd)
-                               p = set_isakmp_payload(p, iph1->local_natd, natd_type);
-                       if (iph1->remote_natd)
-                               p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE);
-               } else {
-                       if (iph1->remote_natd)
-                               p = set_isakmp_payload(p, iph1->remote_natd, natd_type);
-                       if (iph1->local_natd)
-                               p = set_isakmp_payload(p, iph1->local_natd, ISAKMP_NPTYPE_NONE);
-               }
+               if (iph1->local_natd)
+                       p = set_isakmp_payload(p, iph1->local_natd, natd_type);
+               if (iph1->remote_natd)
+                       p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE);
        }
 #endif
        error = 0;

diff --git a/racoon.tproj/main.c b/racoon.tproj/main.c
index 99b60f2755069ab893d2b4631cd0920b32dc212c..d48dc814c3b0fc0e670512fb5b5b1b24c437158b 100644 (file)
--- a/racoon.tproj/main.c
+++ b/racoon.tproj/main.c
@@ -138,7 +138,7 @@ main(ac, av)
        char **av;
 {
        int error;
-
+       
        if (geteuid() != 0) {
                errx(1, "must be root to invoke this program.");
                /* NOTREACHED*/

diff --git a/racoon.tproj/oakley.c b/racoon.tproj/oakley.c
index 5017f6609bbd55d0ad9e6fa6e71227db67058760..8d1a475045ee426a769f07f3a3142d4ac4323cf0 100644 (file)
--- a/racoon.tproj/oakley.c
+++ b/racoon.tproj/oakley.c
@@ -2099,23 +2099,28 @@ oakley_skeyid(iph1)
 
        /* SKEYID */
        switch(iph1->approval->authmethod) {
-       case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
-                /* if we have a preshared key defined, just use it */
-                if (iph1->rmconf->shared_secret) {
-
-                    switch (iph1->rmconf->secrettype) {
-                        case SECRETTYPE_KEY:
-                            iph1->authstr = getpsk(iph1->rmconf->shared_secret->v, iph1->rmconf->shared_secret->l-1);
-                            break;
-                        case SECRETTYPE_KEYCHAIN:
-                            iph1->authstr = getpskfromkeychain(iph1->rmconf->shared_secret->v);
-                            break;
-                        case SECRETTYPE_USE:
-                        default:
-                            iph1->authstr = vdup(iph1->rmconf->shared_secret);
-                    }
-
-                }
+       case OAKLEY_ATTR_AUTH_METHOD_PSKEY:     
+               if (iph1->nonce_p == NULL) {
+                       plog(LLV_ERROR, LOCATION, NULL,
+                               "no nonce payload received from peer.\n");
+                       goto end;
+               }
+        /* if we have a preshared key defined, just use it */
+       if (iph1->rmconf->shared_secret) {
+
+                       switch (iph1->rmconf->secrettype) {
+                               case SECRETTYPE_KEY:
+                                       iph1->authstr = getpsk(iph1->rmconf->shared_secret->v, iph1->rmconf->shared_secret->l-1);
+                                       break;
+                               case SECRETTYPE_KEYCHAIN:
+                                       iph1->authstr = getpskfromkeychain(iph1->rmconf->shared_secret->v);
+                                       break;
+                               case SECRETTYPE_USE:
+                               default:
+                                       iph1->authstr = vdup(iph1->rmconf->shared_secret);
+                       }
+
+               }
                else if (iph1->etype != ISAKMP_ETYPE_IDENT) {
                        iph1->authstr = getpskbyname(iph1->id_p);
                        if (iph1->authstr == NULL) {
@@ -2180,6 +2185,11 @@ oakley_skeyid(iph1)
 #ifdef HAVE_GSSAPI
        case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
 #endif
+               if (iph1->nonce_p == NULL) {
+                       plog(LLV_ERROR, LOCATION, NULL,
+                               "no nonce payload received from peer.\n");
+                       goto end;
+               }
                len = iph1->nonce->l + iph1->nonce_p->l;
                buf = vmalloc(len);
                if (buf == NULL) {