[Swan] What to do when IKE packet is larger then size specified in ISAKMP HDR? (Cisco VPN cilent interop)

Elison Niven elison.niven at cyberoam.com
Fri Jul 12 10:27:32 EEST 2013 

Yes, this is needed. Also note that Cisco VPN client adds exactly 16 
bytes.
I used if (pbs_room(&md->packet_pbs) - md->hdr.isa_length == 16) then 
do not drop the packet but your approach is better.

On Thursday 11 July 2013 08:46:18 PM IST, Paul Wouters wrote:
>
> I received a report stating that the Cisco VPN client sometimes pads an
> IKE packet with zeros. This results in us ignoring the IKE packet with:
>
>     packet from 1.2.3.4:xxx: size (873) differs from size specified in
> ISAKMP HDR (857)
>
> The code where we reject this wants an exact match:
>
>     if (md->packet_pbs.roof != md->message_pbs.roof)
>     {
>         libreswan_log("size (%u) differs from size specified in ISAKMP
> HDR (%u)"
>             , (unsigned) pbs_room(&md->packet_pbs), md->hdr.isa_length);
>         return;
>     }
>
> I propose that we change this check and only reject the packet when it
> is too short (meaning the IKE content is bogus anyway). If it is bigger,
> log a warning, but continue processing the packet (but explicitely
> ignoring those extra bytes so we never access those)
>
> My proposed change:
>
>     if (md->packet_pbs.roof != md->message_pbs.roof)
>     {
>     if (md->packet_pbs.roof < md->message_pbs.roof)
>     {
>         libreswan_log("size (%u) in received packet is smaller than
> the size specified in ISAKMP HDR (%u) - packet dropped"
>             , (unsigned) pbs_room(&md->packet_pbs), md->hdr.isa_length);
>             return; /* drop packet */
>     } else {
>         libreswan_log("size (%u) in received packet is larger than the
> size specified in ISAKMP HDR (%u) - ignoring extraneous bytes"
>         md->packet_pbs.root = md->message_pbs.roof
>     }
>     }
>
> Alternatively, we could put this within a per-conn option, but I think
> I'd rather do the above without adding another option for the user to
> think about.
>
> Paul
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
>

--
Best Regards,
Elison Niven

More information about the Swan mailing list