File novell-ipsec-tools_CVE-2009-1632.patch of Package novell-ipsec-tools
Index: ipsec-tools-0.7.1/src/racoon/crypto_openssl.c
===================================================================
--- ipsec-tools-0.7.1.orig/src/racoon/crypto_openssl.c
+++ ipsec-tools-0.7.1/src/racoon/crypto_openssl.c
@@ -895,6 +895,7 @@ eay_check_x509sign(source, sig, cert)
x509 = d2i_X509(NULL, (void *)&bp, cert->l);
if (x509 == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "d2i_X509(): %s\n", eay_strerror());
+ X509_free(x509);
return -1;
}
@@ -907,6 +908,7 @@ eay_check_x509sign(source, sig, cert)
res = eay_rsa_verify(source, sig, evp->pkey.rsa);
EVP_PKEY_free(evp);
+ X509_free(x509);
return res;
}
Index: ipsec-tools-0.7.1/src/racoon/nattraversal.c
===================================================================
--- ipsec-tools-0.7.1.orig/src/racoon/nattraversal.c
+++ ipsec-tools-0.7.1/src/racoon/nattraversal.c
@@ -336,7 +336,7 @@ int plugin_update_natt_options(struct ph
void
natt_float_ports (struct ph1handle *iph1)
{
- if (! (iph1->natt_flags && NAT_DETECTED) )
+ if (! (iph1->natt_flags & NAT_DETECTED) )
return;
if (! iph1->natt_options->float_port){
/* Drafts 00 / 01, just schedule keepalive */
@@ -381,6 +381,15 @@ natt_handle_vendorid (struct ph1handle *
iph1->natt_flags |= NAT_ANNOUNCED;
}
+static void
+natt_keepalive_delete (struct natt_ka_addrs *ka)
+{
+ TAILQ_REMOVE (&ka_tree, ka, chain);
+ racoon_free (ka->src);
+ racoon_free (ka->dst);
+ racoon_free (ka);
+}
+
#ifdef PLUGINS_SUPPORT
void
natt_handle_private_vendorid (struct ph1handle *iph1, void *d)
@@ -420,8 +429,7 @@ natt_keepalive_send (void *param)
s = getsockmyaddr(ka->src);
if (s == -1) {
- TAILQ_REMOVE (&ka_tree, ka, chain);
- racoon_free (ka);
+ natt_keepalive_delete(ka);
continue;
}
plog (LLV_DEBUG, LOCATION, NULL, "KA: %s\n",
@@ -522,8 +530,7 @@ natt_keepalive_remove (struct sockaddr *
plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");
- TAILQ_REMOVE (&ka_tree, ka, chain);
- racoon_free (ka);
+ natt_keepalive_delete (ka);
/* Should we break here? Every pair of addresses should
be inserted only once, but who knows :-) Lets traverse
the whole list... */
Index: ipsec-tools-0.7.1/src/racoon/isakmp_frag.c
===================================================================
--- ipsec-tools-0.7.1.orig/src/racoon/isakmp_frag.c
+++ ipsec-tools-0.7.1/src/racoon/isakmp_frag.c
@@ -199,7 +199,8 @@ isakmp_frag_extract(iph1, msg)
* frag->len is the frag payload data plus the frag payload header,
* whose size is sizeof(*frag)
*/
- if (msg->l < sizeof(*isakmp) + ntohs(frag->len)) {
+ if (msg->l < sizeof(*isakmp) + ntohs(frag->len) ||
+ ntohs(frag->len) < sizeof(*frag) + 1) {
plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n");
return -1;
}