[Swan] What to do when IKE packet is larger then size specified in ISAKMP HDR? (Cisco VPN cilent interop)
Paul Wouters
pwouters at redhat.com
Thu Jul 11 18:16:18 EEST 2013
I received a report stating that the Cisco VPN client sometimes pads an
IKE packet with zeros. This results in us ignoring the IKE packet with:
packet from 1.2.3.4:xxx: size (873) differs from size specified in ISAKMP HDR (857)
The code where we reject this wants an exact match:
if (md->packet_pbs.roof != md->message_pbs.roof)
{
libreswan_log("size (%u) differs from size specified in ISAKMP HDR (%u)"
, (unsigned) pbs_room(&md->packet_pbs), md->hdr.isa_length);
return;
}
I propose that we change this check and only reject the packet when it
is too short (meaning the IKE content is bogus anyway). If it is bigger,
log a warning, but continue processing the packet (but explicitely
ignoring those extra bytes so we never access those)
My proposed change:
if (md->packet_pbs.roof != md->message_pbs.roof)
{
if (md->packet_pbs.roof < md->message_pbs.roof)
{
libreswan_log("size (%u) in received packet is smaller than the size specified in ISAKMP HDR (%u) - packet dropped"
, (unsigned) pbs_room(&md->packet_pbs), md->hdr.isa_length);
return; /* drop packet */
} else {
libreswan_log("size (%u) in received packet is larger than the size specified in ISAKMP HDR (%u) - ignoring extraneous bytes"
md->packet_pbs.root = md->message_pbs.roof
}
}
Alternatively, we could put this within a per-conn option, but I think
I'd rather do the above without adding another option for the user to
think about.
Paul
More information about the Swan
mailing list