|
Removed
Link Here
|
| 1 |
From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001 |
| 2 |
From: Tobias Brunner <tobias@strongswan.org> |
| 3 |
Date: Tue, 11 Jul 2023 12:12:25 +0200 |
| 4 |
Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer |
| 5 |
overflow |
| 6 |
|
| 7 |
Seems this was forgotten in the referenced commit and actually could lead |
| 8 |
to a buffer overflow. Since charon-tkm is untrusted this isn't that |
| 9 |
much of an issue but could at least be easily exploited for a DoS attack |
| 10 |
as DH public values are set when handling IKE_SA_INIT requests. |
| 11 |
|
| 12 |
Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends") |
| 13 |
Fixes: CVE-2023-41913 |
| 14 |
--- |
| 15 |
src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++- |
| 16 |
1 file changed, 6 insertions(+), 1 deletion(-) |
| 17 |
|
| 18 |
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c |
| 19 |
index 2b2d103d03e9..6999ad360d7e 100644 |
| 20 |
--- src/charon-tkm/src/tkm/tkm_diffie_hellman.c |
| 21 |
+++ src/charon-tkm/src/tkm/tkm_diffie_hellman.c |
| 22 |
@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool, |
| 23 |
return TRUE; |
| 24 |
} |
| 25 |
|
| 26 |
- |
| 27 |
METHOD(key_exchange_t, set_public_key, bool, |
| 28 |
private_tkm_diffie_hellman_t *this, chunk_t value) |
| 29 |
{ |
| 30 |
dh_pubvalue_type othervalue; |
| 31 |
+ |
| 32 |
+ if (!key_exchange_verify_pubkey(this->group, value) || |
| 33 |
+ value.len > sizeof(othervalue.data)) |
| 34 |
+ { |
| 35 |
+ return FALSE; |
| 36 |
+ } |
| 37 |
othervalue.size = value.len; |
| 38 |
memcpy(&othervalue.data, value.ptr, value.len); |
| 39 |
|
| 40 |
-- |
| 41 |
2.34.1 |
| 42 |
|