From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Thu, 12 Jul 2012 19:14:21 +0000 (+0200)
Subject: prevent endless loop with oversize attributes
X-Git-Tag: 5.0.1~402
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8ef43d878699d152d9ae4ccfb6bd15837d6b1269;p=thirdparty%2Fstrongswan.git

prevent endless loop with oversize attributes
---

diff --git a/src/libimcv/imc/imc_agent.c b/src/libimcv/imc/imc_agent.c
index b372c4c57c..eb9f9befc5 100644
--- a/src/libimcv/imc/imc_agent.c
+++ b/src/libimcv/imc/imc_agent.c
@@ -384,7 +384,7 @@ METHOD(imc_agent_t, create_state, TNC_Result,
 				  "%slong %sexcl %ssoh", this->id, this->name,
 				  tnccs_p ? tnccs_p:"?", tnccs_v ? tnccs_v:"?", conn_id,
 			      has_long ? "+":"-", has_excl ? "+":"-", has_soh ? "+":"-");
-	DBG2(DBG_IMC, "  over %s %s with maximum PA-TNC msg size of %u bytes",
+	DBG2(DBG_IMC, "  over %s %s with maximum PA-TNC message size of %u bytes",
 				  t_p ? t_p:"?", t_v ? t_v :"?", max_msg_len);
 
 	free(tnccs_p);
@@ -485,6 +485,7 @@ METHOD(imc_agent_t, send_message, TNC_Result,
 	pa_tnc_msg_t *pa_tnc_msg;
 	chunk_t msg;
 	enumerator_t *enumerator;
+	bool attr_added;
 
 	state = find_connection(this, connection_id);
 	if (!state)
@@ -497,13 +498,25 @@ METHOD(imc_agent_t, send_message, TNC_Result,
 	while (attr_list->get_count(attr_list))
 	{
 		pa_tnc_msg = pa_tnc_msg_create(state->get_max_msg_len(state));
+		attr_added = FALSE;
 
 		enumerator = attr_list->create_enumerator(attr_list);
 		while (enumerator->enumerate(enumerator, &attr))
 		{
-			if (!pa_tnc_msg->add_attribute(pa_tnc_msg, attr))
+			if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr))
 			{
-				break;
+				attr_added = TRUE;
+			}
+			else
+			{
+				if (attr_added)
+				{
+					break;
+				}
+				else
+				{
+					DBG1(DBG_IMC, "PA-TNC attribute too large to send, deleted");
+				}
 			}
 			attr_list->remove_at(attr_list, enumerator);
 		}
diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c
index 2f1c2d3d7b..68bde26e0f 100644
--- a/src/libimcv/imv/imv_agent.c
+++ b/src/libimcv/imv/imv_agent.c
@@ -407,7 +407,7 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 				  "%slong %sexcl %ssoh", this->id, this->name,
 				  tnccs_p ? tnccs_p:"?", tnccs_v ? tnccs_v:"?", conn_id,
 			      has_long ? "+":"-", has_excl ? "+":"-", has_soh ? "+":"-");
-	DBG2(DBG_IMV, "  over %s %s with maximum PA-TNC msg size of %u bytes",
+	DBG2(DBG_IMV, "  over %s %s with maximum PA-TNC message size of %u bytes",
 				  t_p ? t_p:"?", t_v ? t_v :"?", max_msg_len);
 
 	free(tnccs_p);
@@ -507,6 +507,7 @@ METHOD(imv_agent_t, send_message, TNC_Result,
 	pa_tnc_msg_t *pa_tnc_msg;
 	chunk_t msg;
 	enumerator_t *enumerator;
+	bool attr_added;
 
 	state = find_connection(this, connection_id);
 	if (!state)
@@ -516,17 +517,27 @@ METHOD(imv_agent_t, send_message, TNC_Result,
 		return TNC_RESULT_FATAL;
 	}
 
-	pa_tnc_msg = pa_tnc_msg_create(this->max_msg_len);
 	while (attr_list->get_count(attr_list))
 	{
 		pa_tnc_msg = pa_tnc_msg_create(this->max_msg_len);
+		attr_added = FALSE;
 
 		enumerator = attr_list->create_enumerator(attr_list);
 		while (enumerator->enumerate(enumerator, &attr))
-		{
-			if (!pa_tnc_msg->add_attribute(pa_tnc_msg, attr))
+			if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr))
+			{
+				attr_added = TRUE;
+			}
+			else
 			{
-				break;
+				if (attr_added)
+				{
+					break;
+				}
+				else
+				{
+					DBG1(DBG_IMV, "PA-TNC attribute too large to send, deleted");
+				}
 			}
 			attr_list->remove_at(attr_list, enumerator);
 		}