From: Tobias Brunner Date: Thu, 2 Mar 2017 10:51:27 +0000 (+0100) Subject: libipsec: Enforce a minimum of 256 for SPIs X-Git-Tag: 5.5.2dr6~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9d8192bfcd74912600abc9417e392a0cb469260e;p=thirdparty%2Fstrongswan.git libipsec: Enforce a minimum of 256 for SPIs RFC 4303 reserves the SPIs between 1 and 255 for future use. This also avoids an overflow and a division by zero if spi_min is 0 and spi_max is 0xffffffff. --- diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c index 314785f67e..a1fa23e287 100644 --- a/src/libipsec/ipsec_sa_mgr.c +++ b/src/libipsec/ipsec_sa_mgr.c @@ -401,7 +401,7 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t, uint32_t spi_min, spi_max, spi_new; spi_min = lib->settings->get_int(lib->settings, "%s.spi_min", - 0x00000000, lib->ns); + 0x00000100, lib->ns); spi_max = lib->settings->get_int(lib->settings, "%s.spi_max", 0xffffffff, lib->ns); if (spi_min > spi_max) @@ -410,6 +410,9 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t, spi_min = spi_max; spi_max = spi_new; } + /* make sure the SPI is valid (not in range 0-255) */ + spi_min = max(spi_min, 0x00000100); + spi_max = max(spi_max, 0x00000100); this->mutex->lock(this->mutex); if (!this->rng) @@ -433,8 +436,6 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t, return FAILED; } spi_new = spi_min + spi_new % (spi_max - spi_min + 1); - /* make sure the SPI is valid (not in range 0-255) */ - spi_new |= 0x00000100; spi_new = htonl(spi_new); } while (!allocate_spi(this, spi_new));