From 902f38dd3e94fb4147d7b7837032e178d5da0a0d Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 27 Aug 2019 18:32:32 +0200
Subject: [PATCH] ikev2: Check the length of received COOKIE notifies

As specified by RFC 7296, section 2.6, the data associated with COOKIE
notifications MUST be between 1 and 64 octets in length (inclusive).

Fixes #3160.
---
 src/libcharon/encoding/payloads/notify_payload.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
index a69db93577..fc5c198020 100644
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -467,6 +467,14 @@ METHOD(payload_t, verify, status_t,
 			}
 			break;
 		}
+		case COOKIE:
+		{
+			if (this->notify_data.len < 1 || this->notify_data.len > 64)
+			{
+				bad_length = TRUE;
+			}
+			break;
+		}
 		case ADDITIONAL_IP4_ADDRESS:
 		{
 			if (this->notify_data.len != 4)
-- 
2.47.2