From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 27 Aug 2019 16:32:32 +0000 (+0200)
Subject: ikev2: Check the length of received COOKIE notifies
X-Git-Tag: 5.8.1rc2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=902f38dd3e94fb4147d7b7837032e178d5da0a0d;p=thirdparty%2Fstrongswan.git

ikev2: Check the length of received COOKIE notifies

As specified by RFC 7296, section 2.6, the data associated with COOKIE
notifications MUST be between 1 and 64 octets in length (inclusive).

Fixes #3160.
---

diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
index a69db93577..fc5c198020 100644
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -467,6 +467,14 @@ METHOD(payload_t, verify, status_t,
 			}
 			break;
 		}
+		case COOKIE:
+		{
+			if (this->notify_data.len < 1 || this->notify_data.len > 64)
+			{
+				bad_length = TRUE;
+			}
+			break;
+		}
 		case ADDITIONAL_IP4_ADDRESS:
 		{
 			if (this->notify_data.len != 4)