Drop packets forwarded via TCP if they are too big (CVE-2013-1428).

[tinc] / src / net_packet.c

diff --git a/src/net_packet.c b/src/net_packet.c
index db571ba..27ca714 100644 (file)
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -22,12 +22,6 @@
 
 #include "system.h"
 
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/pem.h>
-#include <openssl/hmac.h>
-
 #ifdef HAVE_ZLIB
 #include <zlib.h>
 #endif
@@ -449,6 +443,9 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
        vpn_packet_t outpkt;
 
+       if(len > sizeof outpkt.data)
+               return;
+
        outpkt.len = len;
        if(c->options & OPTION_TCPONLY)
                outpkt.priority = 0;
@@ -464,7 +461,7 @@ static void send_sptps_packet(node_t *n, vpn_packet_t *origpkt) {
                logger(DEBUG_TRAFFIC, LOG_INFO, "No valid key known yet for %s (%s)", n->name, n->hostname);
                if(!n->status.waitingforkey)
                        send_req_key(n);
-               else if(n->last_req_key + 10 < time(NULL)) {
+               else if(n->last_req_key + 10 < now.tv_sec) {
                        logger(DEBUG_ALWAYS, LOG_DEBUG, "No key from %s after 10 seconds, restarting SPTPS", n->name);
                        sptps_stop(&n->sptps);
                        n->status.waitingforkey = false;