[strongSwan-dev] [PATCH 3/3] ike: fix prefix length of vendor id Cisco VPN Concentrator
Volker RĂ¼melin
vr_strongswan at t-online.de
Mon Nov 1 17:33:57 CET 2021
> Currently the length of vendor id Cisco VPN Concentrator is 16
> bytes but the id string has only 13+1 bytes. The correct vendor
> id has 16 bytes with a prefix length of 14 bytes and two version
> bytes. Change the vendor id data accordingly.
> ---
> src/libcharon/sa/ikev1/tasks/isakmp_vendor.c | 5 +++--
> src/libcharon/sa/ikev2/tasks/ike_vendor.c | 5 +++--
> 2 files changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
> index 17aeee0d3..55055930b 100644
> --- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
> +++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
> @@ -118,8 +118,9 @@ static struct {
> { "MS NT5 ISAKMPOAKLEY", EXT_MS_WINDOWS, FALSE, TRUE, 16,
> "\x1e\x2b\x51\x69\x05\x99\x1c\x7d\x7c\x96\xfc\xbf\xb5\x87\xe4\x61\x00\x00\x00\x00"},
>
> - { "Cisco VPN Concentrator", 0, FALSE, TRUE, 16,
> - "\x1f\x07\xf7\x0e\xaa\x65\x14\xd3\xb0\xfa\x96\x54\x2a"},
> + /* Truncated MD5("ALTIGA GATEWAY") plus two version bytes */
> + { "Cisco VPN Concentrator", 0, FALSE, TRUE, 14,
> + "\x1f\x07\xf7\x0e\xaa\x65\x14\xd3\xb0\xfa\x96\x54\x2a\x50\x00\x00"},
>
> { "Cisco VPN 3000 client", 0, FALSE, FALSE, 20,
> "\xf6\xf7\xef\xc7\xf5\xae\xb8\xcb\x15\x8c\xb9\xd0\x94\xba\x69\xe7"},
I can see another out of bounds read. The Cisco VPN 3000 client VID
database entry claims the length is 20 bytes, but only provides a 16+1
bytes string.
> diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
> index 5db1d185b..248b68ee4 100644
> --- a/src/libcharon/sa/ikev2/tasks/ike_vendor.c
> +++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
> @@ -115,8 +115,9 @@ static vid_data_t vids[] = {
> "\xfb\x1d\xe3\xcd\xf3\x41\xb7\xea\x16\xb7\xe5\xbe\x08\x55\xf1\x20"},
> { "Vid-Initial-Contact", 0, NULL, FALSE, 16,
> "\x26\x24\x4d\x38\xed\xdb\x61\xb3\x17\x2a\x36\xe3\xd0\xcf\xb8\x19"},
> - { "Cisco VPN Concentrator", 0, NULL, TRUE, 16,
> - "\x1f\x07\xf7\x0e\xaa\x65\x14\xd3\xb0\xfa\x96\x54\x2a"},
> + /* Truncated MD5("ALTIGA GATEWAY") plus two version bytes */
> + { "Cisco VPN Concentrator", 0, NULL, TRUE, 14,
> + "\x1f\x07\xf7\x0e\xaa\x65\x14\xd3\xb0\xfa\x96\x54\x2a\x50\x00\x00"},
> { "Cisco VPN 3000 client", 0, NULL, FALSE, 20,
> "\xf6\xf7\xef\xc7\xf5\xae\xb8\xcb\x15\x8c\xb9\xd0\x94\xba\x69\xe7"},
And here again.
> { "ZyXEL ZyWALL Router", 0, NULL, FALSE, 20,
More information about the Dev
mailing list