From: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri, 12 Apr 2013 15:15:05 +0000 (+0200)
Subject: Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
X-Git-Tag: release-1.0.21~1
X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=commitdiff_plain;h=17a33dfd95b1a29e90db76414eb9622df9632320;hp=85a841258c1a19282b48c6b8663128568c16d9ab

Drop packets forwarded via TCP if they are too big (CVE-2013-1428).

Normally all requests sent via the meta connections are checked so that they
cannot be larger than the input buffer. However, when packets are forwarded via
meta connections, they are copied into a packet buffer without checking whether
it fits into it. Since the packet buffer is allocated on the stack, this in
effect allows an authenticated remote node to cause a stack overflow.

This issue was found by Martin Schobert.
---

diff --git a/src/net_packet.c b/src/net_packet.c
index 1efc60dd..054679e9 100644
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -394,6 +394,9 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
 	vpn_packet_t outpkt;
 
+	if(len > sizeof outpkt.data)
+		return;
+
 	outpkt.len = len;
 	if(c->options & OPTION_TCPONLY)
 		outpkt.priority = 0;