fixed DPD null state bug

diff --git a/NEWS b/NEWS
index d30fcc32f92f91a6ba1f7bf9795e29b9533c8bbc..83308c772177128da7ba4c0774eae549f89c81b1 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,16 @@ strongswan-4.2.14
   relays EAP messages to and from a RADIUS server. Succesfully
   tested with with a freeradius server using EAP-MD5 and EAP-SIM.
 
+- A vulnerability in the Dead Peer Detection (RFC 3706) code was found by
+  Gerd v. Egidy <gerd.von.egidy@intra2net.com> of Intra2net AG affecting
+  all Openswan and strongSwan releases. A malicious (or expired ISAKMP)
+  R_U_THERE or R_U_THERE_ACK Dead Peer Detection packet can cause the
+  pluto IKE daemon to crash and restart. No authentication or encryption
+  is required to trigger this bug. One spoofed UDP packet can cause the
+  pluto IKE daemon to restart and be unresponsive for a few seconds while
+  restarting. This DPD null state vulnerability has been officially
+  registered as CVE-2009-0790 and is fixed by this release.
+
 - ASN.1 to time_t conversion caused a time wrap-around for
   dates after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
   As a workaround such dates are set to the maximum representable

diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index b59fe3c87b7224de8331446f371271c366a86109..f22cdbd04e2c573d53264128652fecee8fa72648 100644 (file)
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -5446,9 +5446,9 @@ dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *p
    time_t tm = now();
     u_int32_t seqno;
 
-    if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+    if (st == NULL || !IS_ISAKMP_SA_ESTABLISHED(st->st_state))
     {
-        loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISKAMP SA");
+        loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISAKMP SA");
         return STF_IGNORE;
     }
     if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
@@ -5516,10 +5516,10 @@ dpd_inR(struct state *st, struct isakmp_notification *const n, pb_stream *pbs)
 {
     u_int32_t seqno;
 
-    if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+    if (st == NULL || !IS_ISAKMP_SA_ESTABLISHED(st->st_state))
     {
         loglog(RC_LOG_SERIOUS
-           , "DPD: Received R_U_THERE_ACK for unestablished ISKAMP SA");
+           , "DPD: Received R_U_THERE_ACK for unestablished ISAKMP SA");
         return STF_FAIL;
     }
 

diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index f548779cfb0b472051972f91291454e02b4fe832..3f682b2ba972382cae8e38123cfd32effaf3a2b1 100644 (file)
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -242,6 +242,7 @@ static struct vid_struct _vid_tab[] = {
        DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
        DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")
 
+       DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.9")
        DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.8")
        DEC_MD5_VID(STRONGSWAN_2_8_7, "strongSwan 2.8.7")
        DEC_MD5_VID(STRONGSWAN_2_8_6, "strongSwan 2.8.6")

diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index e61c098aaa2ead827edcb0b4591e96394f0c1a6a..70d1ad4d135983cc2f18f4d931cced3a7521b5e3 100644 (file)
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -94,6 +94,7 @@ enum known_vendorid {
   VID_STRONGSWAN_2_8_6         = 72,
   VID_STRONGSWAN_2_8_7         = 73,
   VID_STRONGSWAN_2_8_8         = 74,
+  VID_STRONGSWAN_2_8_9         = 75,
 
   VID_STRONGSWAN_4_0_0         = 80,
   VID_STRONGSWAN_4_0_1         = 81,