32 lines
1.2 KiB
Text
32 lines
1.2 KiB
Text
|
From 17a33dfd95b1a29e90db76414eb9622df9632320 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Guus Sliepen <guus@tinc-vpn.org>
|
||
|
|
Date: Fri, 12 Apr 2013 17:15:05 +0200
|
||
|
|
Subject: [PATCH] Drop packets forwarded via TCP if they are too big
|
||
|
|
(CVE-2013-1428).
|
||
|
|
|
||
|
|
Normally all requests sent via the meta connections are checked so that they
|
||
|
|
cannot be larger than the input buffer. However, when packets are forwarded via
|
||
|
|
meta connections, they are copied into a packet buffer without checking whether
|
||
|
|
it fits into it. Since the packet buffer is allocated on the stack, this in
|
||
|
|
effect allows an authenticated remote node to cause a stack overflow.
|
||
|
|
|
||
|
|
This issue was found by Martin Schobert.
|
||
|
|
---
|
||
|
|
src/net_packet.c | 3 +++
|
||
|
|
1 file changed, 3 insertions(+)
|
||
|
|
|
||
|
|
Index: tinc-1.0.13/src/net_packet.c
|
||
|
|
===================================================================
|
||
|
|
--- tinc-1.0.13.orig/src/net_packet.c 2010-03-13 17:53:33.000000000 +0000
|
||
|
|
+++ tinc-1.0.13/src/net_packet.c 2013-04-12 20:34:17.395183282 +0000
|
||
|
|
@@ -347,6 +347,9 @@
|
||
|
|
void receive_tcppacket(connection_t *c, char *buffer, int len) {
|
||
|
|
vpn_packet_t outpkt;
|
||
|
|
|
||
|
|
+ if(len > sizeof outpkt.data)
|
||
|
|
+ return;
|
||
|
|
+
|
||
|
|
outpkt.len = len;
|
||
|
|
if(c->options & OPTION_TCPONLY)
|
||
|
|
outpkt.priority = 0;
|