4343b5a2fa
tinc (1.0.19-3~bpo60+1) squeeze-backports; urgency=high
* Rebuild for squeeze-backports.
* Build-depend on libvdeplug2-dev, not libvdeplug-dev,
as it is how it is named in squeeze.
tinc (1.0.19-3) unstable; urgency=high
* Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
29 lines
1,012 B
Text
29 lines
1,012 B
Text
From 17a33dfd95b1a29e90db76414eb9622df9632320 Mon Sep 17 00:00:00 2001
|
|
From: Guus Sliepen <guus@tinc-vpn.org>
|
|
Date: Fri, 12 Apr 2013 17:15:05 +0200
|
|
Subject: [PATCH] Drop packets forwarded via TCP if they are too big
|
|
(CVE-2013-1428).
|
|
|
|
Normally all requests sent via the meta connections are checked so that they
|
|
cannot be larger than the input buffer. However, when packets are forwarded via
|
|
meta connections, they are copied into a packet buffer without checking whether
|
|
it fits into it. Since the packet buffer is allocated on the stack, this in
|
|
effect allows an authenticated remote node to cause a stack overflow.
|
|
|
|
This issue was found by Martin Schobert.
|
|
---
|
|
src/net_packet.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
--- a/src/net_packet.c
|
|
+++ b/src/net_packet.c
|
|
@@ -378,6 +378,9 @@
|
|
void receive_tcppacket(connection_t *c, const char *buffer, int len) {
|
|
vpn_packet_t outpkt;
|
|
|
|
+ if(len > sizeof outpkt.data)
|
|
+ return;
|
|
+
|
|
outpkt.len = len;
|
|
if(c->options & OPTION_TCPONLY)
|
|
outpkt.priority = 0;
|