From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 12 Dec 2012 17:29:31 +0000 (+0100)
Subject: Don't handle fragmented messages larger than charon.max_packet
X-Git-Tag: 5.0.2dr4~8^2~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8fc8383439675456e83e9aae5350124ab5758ea1;p=thirdparty%2Fstrongswan.git

Don't handle fragmented messages larger than charon.max_packet
---

diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 5ba12e7ec0..80d2b6d804 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -39,6 +39,7 @@
 #include <processing/jobs/process_message_job.h>
 
 #include <encoding/payloads/fragment_payload.h>
+#include <bio/bio_writer.h>
 
 /**
  * Number of old messages hashes we keep for retransmission.
@@ -49,6 +50,11 @@
  */
 #define MAX_OLD_HASHES 2
 
+/**
+ * Maximum packet size for fragmented packets (same as in sockets)
+ */
+#define MAX_PACKET 10000
+
 /**
  * First sequence number of responding packets.
  *
@@ -191,6 +197,16 @@ struct private_task_manager_t {
 		 */
 		linked_list_t *list;
 
+		/**
+		 * Length of all currently received fragments
+		 */
+		size_t len;
+
+		/**
+		 * Maximum length of a fragmented packet
+		 */
+		size_t max_packet;
+
 	} frag;
 
 	/**
@@ -263,6 +279,7 @@ static void clear_fragments(private_task_manager_t *this, u_int16_t id)
 	DESTROY_FUNCTION_IF(this->frag.list, (void*)fragment_destroy);
 	this->frag.list = NULL;
 	this->frag.last = 0;
+	this->frag.len = 0;
 	this->frag.id = id;
 }
 
@@ -1098,6 +1115,7 @@ static status_t handle_fragment(private_task_manager_t *this, message_t *msg)
 	enumerator_t *enumerator;
 	fragment_t *fragment;
 	status_t status = SUCCESS;
+	chunk_t data;
 	u_int8_t num;
 
 	payload = (fragment_payload_t*)msg->get_payload(msg, FRAGMENT_V1);
@@ -1133,9 +1151,19 @@ static status_t handle_fragment(private_task_manager_t *this, message_t *msg)
 		}
 	}
 
+	data = payload->get_data(payload);
+	this->frag.len += data.len;
+	if (this->frag.len > this->frag.max_packet)
+	{
+		DBG1(DBG_IKE, "fragmented IKE message is too large");
+		enumerator->destroy(enumerator);
+		clear_fragments(this, 0);
+		return FAILED;
+	}
+
 	INIT(fragment,
 		.num = num,
-		.data = chunk_clone(payload->get_data(payload)),
+		.data = chunk_clone(data),
 	);
 
 	this->frag.list->insert_before(this->frag.list, enumerator, fragment);
@@ -1145,21 +1173,24 @@ static status_t handle_fragment(private_task_manager_t *this, message_t *msg)
 	{
 		message_t *message;
 		packet_t *pkt;
-		chunk_t data = chunk_empty;
 		host_t *src, *dst;
+		bio_writer_t *writer;
 
+		writer = bio_writer_create(this->frag.len);
 		DBG1(DBG_IKE, "received fragment #%hhu, reassembling fragmented IKE "
 			 "message", num);
 		enumerator = this->frag.list->create_enumerator(this->frag.list);
 		while (enumerator->enumerate(enumerator, &fragment))
 		{
-			data = chunk_cat("mc", data, fragment->data);
+			writer->write_data(writer, fragment->data);
 		}
 		enumerator->destroy(enumerator);
 
 		src = msg->get_source(msg);
 		dst = msg->get_destination(msg);
-		pkt = packet_create_from_data(src->clone(src), dst->clone(dst), data);
+		pkt = packet_create_from_data(src->clone(src), dst->clone(dst),
+									  writer->extract_buf(writer));
+		writer->destroy(writer);
 
 		message = message_create_from_packet(pkt);
 		if (message->parse_header(message) != SUCCESS)
@@ -1850,6 +1881,10 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
 		.responding = {
 			.seqnr = RESPONDING_SEQ,
 		},
+		.frag = {
+			.max_packet = lib->settings->get_int(lib->settings,
+					"%s.max_packet", MAX_PACKET, charon->name),
+		},
 		.ike_sa = ike_sa,
 		.rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
 		.queued_tasks = linked_list_create(),