The NetBSD Project

CVS log for src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

[BACK] Up to [cvs.NetBSD.org] / src / crypto / dist / ipsec-tools / src / racoon

Request diff between arbitrary revisions


Default branch: MAIN
Current tag: MAIN


Revision 1.10 / (download) - annotate - [select for diffs], Fri Oct 5 20:12:37 2018 UTC (12 months, 1 week ago) by christos
Branch: MAIN
CVS Tags: phil-wifi-20190609, pgoyette-compat-20190127, pgoyette-compat-20190118, pgoyette-compat-1226, pgoyette-compat-1126, pgoyette-compat-1020, netbsd-9-base, netbsd-9, HEAD
Changes since 1.9: +51 -26 lines
Diff to previous 1.9 (colored)

From Thomas Reim:

Current racoon code cannot detect duplicate last fragments as it uses
the fragment flag instead of the fragment number.

The code does not consider that the IKE payload fragments might not be
received in the correct order. In this case, packet complete detection
will again fail and VPN clients abandoned from VPN service.
Nevertheless, clients still can add fragments to the fragment queue and
fill it up to the possible 255 fragments. Only duplicates are detected,
but not the fragments with a number greater than the last fragment
number.

The last fragment number is kept in the Phase 1 handler
after fragment queue deletion, which may lead to error notifications
after succesful reassembly of the IKE phase 1 message.

In general, the 2017's CVE fix added laconic and difficult to understand
failure notifications, which do not much help for analysis, why a VPN
client was blocked by racoon server.

This patch fixes the code and aligns it to Microsoft/Cisco IKE
fragmentation specification. It provides error logging which is in line
with above specification and adds some debug info to the logs to better
support analysis VPN client blackballing.

XXX: pullup-8

Revision 1.9 / (download) - annotate - [select for diffs], Tue Oct 2 18:49:24 2018 UTC (12 months, 2 weeks ago) by christos
Branch: MAIN
Changes since 1.8: +3 -3 lines
Diff to previous 1.8 (colored)

PR/53646: Thomas Reim: Incorrect detection of the packet complete code in
fragment list check.

While the fix in https://launchpad.net/~rdratlos/+archive/ubuntu/racoon

	- if (i > last_frag) /* It is complete */
	+ if (i >= last_frag) /* It is complete */

has the correct behavior, it violates the test for successful
completion of the invariant of the loop:

    for (i = 1; i <= last_frag; i++) {
	if (!check_fragment_index())
	    break;
    }
    if (i > last_frag)
	return ok;

It is better to move the check for NULL in the loop earlier, so that
the final iteration is done and the test is kept the same. It makes
the code easier to understand and preserves the original intent.

XXX: pullup-8

Revision 1.8 / (download) - annotate - [select for diffs], Sat May 19 19:32:16 2018 UTC (16 months, 4 weeks ago) by maxv
Branch: MAIN
CVS Tags: phil-wifi-base, pgoyette-compat-0930, pgoyette-compat-0906, pgoyette-compat-0728, pgoyette-compat-0625, pgoyette-compat-0521
Branch point for: phil-wifi
Changes since 1.7: +1 -2 lines
Diff to previous 1.7 (colored)

More unused variables.

Revision 1.7 / (download) - annotate - [select for diffs], Sun Jul 23 05:40:27 2017 UTC (2 years, 2 months ago) by christos
Branch: MAIN
CVS Tags: pgoyette-compat-base, pgoyette-compat-0502, pgoyette-compat-0422, pgoyette-compat-0415, pgoyette-compat-0407, pgoyette-compat-0330, pgoyette-compat-0322, pgoyette-compat-0315
Branch point for: pgoyette-compat
Changes since 1.6: +10 -5 lines
Diff to previous 1.6 (colored)

PR/51682: Antoine Beaupr Simplify and comment previous patch.
XXX: pullup-8

Revision 1.6 / (download) - annotate - [select for diffs], Tue Jan 24 19:23:31 2017 UTC (2 years, 8 months ago) by christos
Branch: MAIN
CVS Tags: prg-localcount2-base3, prg-localcount2-base2, prg-localcount2-base1, prg-localcount2-base, prg-localcount2, pgoyette-localcount-20170426, pgoyette-localcount-20170320, perseant-stdc-iso10646-base, perseant-stdc-iso10646, netbsd-8-base, bouyer-socketcan-base1
Branch point for: netbsd-8
Changes since 1.5: +63 -32 lines
Diff to previous 1.5 (colored)

PR/51682: Avoid DoS with fragment out of order insertion; keep fragments
sorted in the list.

Revision 1.5 / (download) - annotate - [select for diffs], Wed Apr 22 11:24:20 2009 UTC (10 years, 5 months ago) by tteras
Branch: MAIN
CVS Tags: yamt-pagecache-tag8, yamt-pagecache-base9, yamt-pagecache-base8, yamt-pagecache-base7, yamt-pagecache-base6, yamt-pagecache-base5, yamt-pagecache-base4, yamt-pagecache-base3, yamt-pagecache-base2, yamt-pagecache-base, yamt-pagecache, tls-maxphys-base, tls-maxphys, tls-earlyentropy-base, tls-earlyentropy, riastradh-xf86-video-intel-2-7-1-pre-2-21-15, riastradh-drm2-base3, riastradh-drm2-base2, riastradh-drm2-base1, riastradh-drm2-base, riastradh-drm2, pgoyette-localcount-base, pgoyette-localcount-20170107, pgoyette-localcount-20161104, pgoyette-localcount-20160806, pgoyette-localcount-20160726, netbsd-7-nhusb-base-20170116, netbsd-7-nhusb-base, netbsd-7-nhusb, netbsd-7-base, netbsd-7-2-RELEASE, netbsd-7-1-RELEASE, netbsd-7-1-RC2, netbsd-7-1-RC1, netbsd-7-1-2-RELEASE, netbsd-7-1-1-RELEASE, netbsd-7-1, netbsd-7-0-RELEASE, netbsd-7-0-RC3, netbsd-7-0-RC2, netbsd-7-0-RC1, netbsd-7-0-2-RELEASE, netbsd-7-0-1-RELEASE, netbsd-7-0, netbsd-7, netbsd-6-base, netbsd-6-1-RELEASE, netbsd-6-1-RC4, netbsd-6-1-RC3, netbsd-6-1-RC2, netbsd-6-1-RC1, netbsd-6-1-5-RELEASE, netbsd-6-1-4-RELEASE, netbsd-6-1-3-RELEASE, netbsd-6-1-2-RELEASE, netbsd-6-1-1-RELEASE, netbsd-6-1, netbsd-6-0-RELEASE, netbsd-6-0-RC2, netbsd-6-0-RC1, netbsd-6-0-6-RELEASE, netbsd-6-0-5-RELEASE, netbsd-6-0-4-RELEASE, netbsd-6-0-3-RELEASE, netbsd-6-0-2-RELEASE, netbsd-6-0-1-RELEASE, netbsd-6-0, netbsd-6, matt-premerge-20091211, matt-nb6-plus-nbase, matt-nb6-plus-base, matt-nb6-plus, matt-mips64-premerge-20101231, localcount-20160914, khorben-n900, jym-xensuspend-nbase, jym-xensuspend-base, ipsec-tools-0_8_2, ipsec-tools-0_8_1, ipsec-tools-0_8_0, ipsec-tools-0_8-branch, cherry-xenmp-base, cherry-xenmp, bouyer-socketcan-base, bouyer-quota2-nbase, bouyer-quota2-base, bouyer-quota2, agc-symver-base, agc-symver
Branch point for: pgoyette-localcount, bouyer-socketcan
Changes since 1.4: +3 -2 lines
Diff to previous 1.4 (colored)

From Neil Kettle: Fix a possible null pointer dereference in fragmentation
code.

Revision 1.4 / (download) - annotate - [select for diffs], Sat Sep 9 16:22:09 2006 UTC (13 years, 1 month ago) by manu
Branch: MAIN
CVS Tags: yamt-pf42-baseX, yamt-pf42-base4, yamt-pf42-base3, yamt-pf42-base2, yamt-pf42-base, yamt-pf42, wrstuden-revivesa-base-3, wrstuden-revivesa-base-2, wrstuden-revivesa-base-1, wrstuden-revivesa-base, wrstuden-revivesa, wrstuden-fixsa-newbase, wrstuden-fixsa-base-1, wrstuden-fixsa-base, wrstuden-fixsa, netbsd-5-base, netbsd-5-2-RELEASE, netbsd-5-2-RC1, netbsd-5-2-3-RELEASE, netbsd-5-2-2-RELEASE, netbsd-5-2-1-RELEASE, netbsd-5-2, netbsd-5-1-RELEASE, netbsd-5-1-RC4, netbsd-5-1-RC3, netbsd-5-1-RC2, netbsd-5-1-RC1, netbsd-5-1-5-RELEASE, netbsd-5-1-4-RELEASE, netbsd-5-1-3-RELEASE, netbsd-5-1-2-RELEASE, netbsd-5-1-1-RELEASE, netbsd-5-1, netbsd-5-0-RELEASE, netbsd-5-0-RC4, netbsd-5-0-RC3, netbsd-5-0-RC2, netbsd-5-0-RC1, netbsd-5-0-2-RELEASE, netbsd-5-0-1-RELEASE, netbsd-5-0, netbsd-5, netbsd-4-base, netbsd-4-0-RELEASE, netbsd-4-0-RC5, netbsd-4-0-RC4, netbsd-4-0-RC3, netbsd-4-0-RC2, netbsd-4-0-RC1, netbsd-4-0-1-RELEASE, netbsd-4-0, netbsd-4, mjf-devfs2-base, mjf-devfs2, matt-nb5-pq3-base, matt-nb5-pq3, matt-nb5-mips64-u2-k2-k4-k7-k8-k9, matt-nb5-mips64-u1-k1-k5, matt-nb5-mips64-premerge-20101231, matt-nb5-mips64-premerge-20091211, matt-nb5-mips64-k15, matt-nb5-mips64, matt-nb4-mips64-k7-u2a-k9b, matt-mips64-base2, matt-mips64-base, matt-mips64, matt-armv6-prevmlocking, matt-armv6-nbase, matt-armv6-base, matt-armv6, keiichi-mipv6-base, keiichi-mipv6, ipsec-tools-0_7_1, ipsec-tools-0_7-rc1, ipsec-tools-0_7-beta3, ipsec-tools-0_7-beta2, ipsec-tools-0_7-beta1, ipsec-tools-0_7-base, ipsec-tools-0_7-RC1, ipsec-tools-0_7, hpcarm-cleanup-nbase, hpcarm-cleanup-base, hpcarm-cleanup, cube-autoconf-base, cube-autoconf
Branch point for: jym-xensuspend, ipsec-tools-0_7-branch
Changes since 1.3: +0 -0 lines
Diff to previous 1.3 (colored)

Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts.
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.

Revision 1.3 / (download) - annotate - [select for diffs], Mon Nov 21 14:20:29 2005 UTC (13 years, 10 months ago) by manu
Branch: MAIN
CVS Tags: abandoned-netbsd-4-base, abandoned-netbsd-4
Changes since 1.2: +0 -0 lines
Diff to previous 1.2 (colored)

Merge ipsec-tools 0.6.3 import

Revision 1.2 / (download) - annotate - [select for diffs], Sat Aug 20 00:57:06 2005 UTC (14 years, 2 months ago) by manu
Branch: MAIN
Changes since 1.1: +3 -1 lines
Diff to previous 1.1 (colored)

Update to ipsec-tools 0.6.1

Revision 1.1 / (download) - annotate - [select for diffs], Sat Feb 12 11:12:20 2005 UTC (14 years, 8 months ago) by manu
Branch: MAIN

Initial revision

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>