[Swan] What to do when IKE packet is larger then size specified in ISAKMP HDR? (Cisco VPN cilent interop)
Elison Niven
elison.niven at cyberoam.com
Fri Jul 12 10:27:32 EEST 2013
Yes, this is needed. Also note that Cisco VPN client adds exactly 16
bytes.
I used if (pbs_room(&md->packet_pbs) - md->hdr.isa_length == 16) then
do not drop the packet but your approach is better.
On Thursday 11 July 2013 08:46:18 PM IST, Paul Wouters wrote:
>
> I received a report stating that the Cisco VPN client sometimes pads an
> IKE packet with zeros. This results in us ignoring the IKE packet with:
>
> packet from 1.2.3.4:xxx: size (873) differs from size specified in
> ISAKMP HDR (857)
>
> The code where we reject this wants an exact match:
>
> if (md->packet_pbs.roof != md->message_pbs.roof)
> {
> libreswan_log("size (%u) differs from size specified in ISAKMP
> HDR (%u)"
> , (unsigned) pbs_room(&md->packet_pbs), md->hdr.isa_length);
> return;
> }
>
> I propose that we change this check and only reject the packet when it
> is too short (meaning the IKE content is bogus anyway). If it is bigger,
> log a warning, but continue processing the packet (but explicitely
> ignoring those extra bytes so we never access those)
>
> My proposed change:
>
> if (md->packet_pbs.roof != md->message_pbs.roof)
> {
> if (md->packet_pbs.roof < md->message_pbs.roof)
> {
> libreswan_log("size (%u) in received packet is smaller than
> the size specified in ISAKMP HDR (%u) - packet dropped"
> , (unsigned) pbs_room(&md->packet_pbs), md->hdr.isa_length);
> return; /* drop packet */
> } else {
> libreswan_log("size (%u) in received packet is larger than the
> size specified in ISAKMP HDR (%u) - ignoring extraneous bytes"
> md->packet_pbs.root = md->message_pbs.roof
> }
> }
>
> Alternatively, we could put this within a per-conn option, but I think
> I'd rather do the above without adding another option for the user to
> think about.
>
> Paul
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
>
--
Best Regards,
Elison Niven
More information about the Swan
mailing list