message: Limit maximum number of IKEv2 fragments

The maximum for IKEv1 is already 255 due to the 8-bit fragment number.

With an overhead of 17 bytes (x64) per fragment and a default maximum
of 10000 bytes per packet the maximum memory required is 14 kB
for a fragmented message.

diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 5e5647dd6ee5e11c1599f8bfdbe0d511184eba78..cb6c97f25ac7d92feac5e9d831c0734b51419ce0 100644 (file)
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -930,6 +930,11 @@ struct private_message_t {
        fragment_data_t *frag;
 };
 
+/**
+ * Maximum number of fragments we will handle
+ */
+#define MAX_FRAGMENTS 255
+
 /**
  * A single fragment within a fragmented message
  */
@@ -2779,7 +2784,12 @@ METHOD(message_t, add_fragment_v2, status_t,
        }
        encrypted_fragment = (encrypted_fragment_payload_t*)payload;
        total = encrypted_fragment->get_total_fragments(encrypted_fragment);
-
+       if (total > MAX_FRAGMENTS)
+       {
+               DBG1(DBG_IKE, "maximum fragment count exceeded");
+               reset_defrag(this);
+               return FAILED;
+       }
        if (!this->fragments || total > this->frag->last)
        {
                reset_defrag(this);