[strongSwan-dev] [PATCH 3/3] ike: fix prefix length of vendor id Cisco VPN Concentrator

Volker RĂ¼melin vr_strongswan at t-online.de
Mon Nov 1 17:33:57 CET 2021 

> Currently the length of vendor id Cisco VPN Concentrator is 16
> bytes  but the id string has only 13+1 bytes. The correct vendor
> id has 16 bytes with a prefix length of 14 bytes and two version
> bytes. Change the vendor id data accordingly.
> ---
>   src/libcharon/sa/ikev1/tasks/isakmp_vendor.c | 5 +++--
>   src/libcharon/sa/ikev2/tasks/ike_vendor.c    | 5 +++--
>   2 files changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
> index 17aeee0d3..55055930b 100644
> --- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
> +++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
> @@ -118,8 +118,9 @@ static struct {
>   	{ "MS NT5 ISAKMPOAKLEY", EXT_MS_WINDOWS, FALSE, TRUE, 16,
>   	  "\x1e\x2b\x51\x69\x05\x99\x1c\x7d\x7c\x96\xfc\xbf\xb5\x87\xe4\x61\x00\x00\x00\x00"},
>   
> -	{ "Cisco VPN Concentrator", 0, FALSE, TRUE, 16,
> -	  "\x1f\x07\xf7\x0e\xaa\x65\x14\xd3\xb0\xfa\x96\x54\x2a"},
> +	/* Truncated MD5("ALTIGA GATEWAY") plus two version bytes */
> +	{ "Cisco VPN Concentrator", 0, FALSE, TRUE, 14,
> +	  "\x1f\x07\xf7\x0e\xaa\x65\x14\xd3\xb0\xfa\x96\x54\x2a\x50\x00\x00"},
>   
>   	{ "Cisco VPN 3000 client", 0, FALSE, FALSE, 20,
>   	  "\xf6\xf7\xef\xc7\xf5\xae\xb8\xcb\x15\x8c\xb9\xd0\x94\xba\x69\xe7"},

I can see another out of bounds read. The Cisco VPN 3000 client VID 
database entry claims the length is 20 bytes, but only provides a 16+1 
bytes string.

> diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
> index 5db1d185b..248b68ee4 100644
> --- a/src/libcharon/sa/ikev2/tasks/ike_vendor.c
> +++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
> @@ -115,8 +115,9 @@ static vid_data_t vids[] = {
>   	  "\xfb\x1d\xe3\xcd\xf3\x41\xb7\xea\x16\xb7\xe5\xbe\x08\x55\xf1\x20"},
>   	{ "Vid-Initial-Contact", 0, NULL, FALSE, 16,
>   	  "\x26\x24\x4d\x38\xed\xdb\x61\xb3\x17\x2a\x36\xe3\xd0\xcf\xb8\x19"},
> -	{ "Cisco VPN Concentrator", 0, NULL, TRUE, 16,
> -	  "\x1f\x07\xf7\x0e\xaa\x65\x14\xd3\xb0\xfa\x96\x54\x2a"},
> +	/* Truncated MD5("ALTIGA GATEWAY") plus two version bytes */
> +	{ "Cisco VPN Concentrator", 0, NULL, TRUE, 14,
> +	  "\x1f\x07\xf7\x0e\xaa\x65\x14\xd3\xb0\xfa\x96\x54\x2a\x50\x00\x00"},
>   	{ "Cisco VPN 3000 client", 0, NULL, FALSE, 20,
>   	  "\xf6\xf7\xef\xc7\xf5\xae\xb8\xcb\x15\x8c\xb9\xd0\x94\xba\x69\xe7"},

And here again.

>   	{ "ZyXEL ZyWALL Router", 0, NULL, FALSE, 20,

More information about the Dev mailing list