[Swan-commit] Changes to ref refs/heads/fragmentation
Paul Wouters
paul at vault.libreswan.fi
Sat Mar 9 07:23:15 EET 2013
New commits:
commit 2c03d725571a9750f2961b556f09a597520a0973
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Mar 9 00:13:09 2013 -0500
* IKEv1: Only mark peer as fragment capable after assembling a fragment
We used to mark a peer as fragment-capable after receiving a first
fragment. Now we wait until we have assembled a full IKE packet from
fragments.
Regardless, when we receive the vendorid we deem them fragment capable.
In theory this could be spoofed, but an attacker that can modify packets
can do a DOS anyway.
commit 934a4944d6edd7a5aeac9fd7ed2e03f664da9d42
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Mar 9 00:12:34 2013 -0500
* IKEv1: Don't process incoming fragments with ike_frag=no
commit 06b26d0c2b76e9abee5816d88c5cdcd90d741b1c
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 21:59:21 2013 -0500
* pluto: fix log message causing crash on INVALID_COOKIE
Introduced a few commits ago by me using a wrong:
(st == NULL) ? st->st_msgid : ""
(I paid for it with a few hours of my time)
commit 4d226e7c78305fe8b6554718bb06e1959c80a78c
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Mar 8 19:32:10 2013 -0500
* ipsec.conf: Add documentation for ike_frag= option
More information about the Swan-commit
mailing list