30 lines
1,012 B
Text
30 lines
1,012 B
Text
|
From 17a33dfd95b1a29e90db76414eb9622df9632320 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Guus Sliepen <guus@tinc-vpn.org>
|
||
|
|
Date: Fri, 12 Apr 2013 17:15:05 +0200
|
||
|
|
Subject: [PATCH] Drop packets forwarded via TCP if they are too big
|
||
|
|
(CVE-2013-1428).
|
||
|
|
|
||
|
|
Normally all requests sent via the meta connections are checked so that they
|
||
|
|
cannot be larger than the input buffer. However, when packets are forwarded via
|
||
|
|
meta connections, they are copied into a packet buffer without checking whether
|
||
|
|
it fits into it. Since the packet buffer is allocated on the stack, this in
|
||
|
|
effect allows an authenticated remote node to cause a stack overflow.
|
||
|
|
|
||
|
|
This issue was found by Martin Schobert.
|
||
|
|
---
|
||
|
|
src/net_packet.c | 3 +++
|
||
|
|
1 file changed, 3 insertions(+)
|
||
|
|
|
||
|
|
--- a/src/net_packet.c
|
||
|
|
+++ b/src/net_packet.c
|
||
|
|
@@ -378,6 +378,9 @@
|
||
|
|
void receive_tcppacket(connection_t *c, const char *buffer, int len) {
|
||
|
|
vpn_packet_t outpkt;
|
||
|
|
|
||
|
|
+ if(len > sizeof outpkt.data)
|
||
|
|
+ return;
|
||
|
|
+
|
||
|
|
outpkt.len = len;
|
||
|
|
if(c->options & OPTION_TCPONLY)
|
||
|
|
outpkt.priority = 0;
|