From 17a33dfd95b1a29e90db76414eb9622df9632320 Mon Sep 17 00:00:00 2001 From: Guus Sliepen Date: Fri, 12 Apr 2013 17:15:05 +0200 Subject: [PATCH] Drop packets forwarded via TCP if they are too big (CVE-2013-1428). Normally all requests sent via the meta connections are checked so that they cannot be larger than the input buffer. However, when packets are forwarded via meta connections, they are copied into a packet buffer without checking whether it fits into it. Since the packet buffer is allocated on the stack, this in effect allows an authenticated remote node to cause a stack overflow. This issue was found by Martin Schobert. --- src/net_packet.c | 3 +++ 1 file changed, 3 insertions(+) --- a/src/net_packet.c +++ b/src/net_packet.c @@ -378,6 +378,9 @@ void receive_tcppacket(connection_t *c, const char *buffer, int len) { vpn_packet_t outpkt; + if(len > sizeof outpkt.data) + return; + outpkt.len = len; if(c->options & OPTION_TCPONLY) outpkt.priority = 0;