File novell-ipsec-tools_CVE-2009-1632.patch of Package novell-ipsec-tools

Index: ipsec-tools-0.7.1/src/racoon/crypto_openssl.c
===================================================================
--- ipsec-tools-0.7.1.orig/src/racoon/crypto_openssl.c
+++ ipsec-tools-0.7.1/src/racoon/crypto_openssl.c
@@ -895,6 +895,7 @@ eay_check_x509sign(source, sig, cert)
 	x509 = d2i_X509(NULL, (void *)&bp, cert->l);
 	if (x509 == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL, "d2i_X509(): %s\n", eay_strerror());
+		X509_free(x509);
 		return -1;
 	}
 
@@ -907,6 +908,7 @@ eay_check_x509sign(source, sig, cert)
 	res = eay_rsa_verify(source, sig, evp->pkey.rsa);
 
 	EVP_PKEY_free(evp);
+	X509_free(x509);
 
 	return res;
 }
Index: ipsec-tools-0.7.1/src/racoon/nattraversal.c
===================================================================
--- ipsec-tools-0.7.1.orig/src/racoon/nattraversal.c
+++ ipsec-tools-0.7.1/src/racoon/nattraversal.c
@@ -336,7 +336,7 @@ int plugin_update_natt_options(struct ph
 void
 natt_float_ports (struct ph1handle *iph1)
 {
-	if (! (iph1->natt_flags && NAT_DETECTED) )
+	if (! (iph1->natt_flags & NAT_DETECTED) )
 		return;
 	if (! iph1->natt_options->float_port){
 		/* Drafts 00 / 01, just schedule keepalive */
@@ -381,6 +381,15 @@ natt_handle_vendorid (struct ph1handle *
       iph1->natt_flags |= NAT_ANNOUNCED;
 }
 
+static void
+natt_keepalive_delete (struct natt_ka_addrs *ka)
+{
+  TAILQ_REMOVE (&ka_tree, ka, chain);
+  racoon_free (ka->src);
+  racoon_free (ka->dst);
+  racoon_free (ka);
+}
+
 #ifdef PLUGINS_SUPPORT
 void
 natt_handle_private_vendorid (struct ph1handle *iph1, void *d)
@@ -420,8 +429,7 @@ natt_keepalive_send (void *param)
     
     s = getsockmyaddr(ka->src);
     if (s == -1) {
-      TAILQ_REMOVE (&ka_tree, ka, chain);
-      racoon_free (ka);
+      natt_keepalive_delete(ka);
       continue;
     }
     plog (LLV_DEBUG, LOCATION, NULL, "KA: %s\n", 
@@ -522,8 +530,7 @@ natt_keepalive_remove (struct sockaddr *
 
       plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");
 
-      TAILQ_REMOVE (&ka_tree, ka, chain);
-      racoon_free (ka);
+      natt_keepalive_delete (ka);
       /* Should we break here? Every pair of addresses should 
          be inserted only once, but who knows :-) Lets traverse 
 	 the whole list... */
Index: ipsec-tools-0.7.1/src/racoon/isakmp_frag.c
===================================================================
--- ipsec-tools-0.7.1.orig/src/racoon/isakmp_frag.c
+++ ipsec-tools-0.7.1/src/racoon/isakmp_frag.c
@@ -199,7 +199,8 @@ isakmp_frag_extract(iph1, msg)
 	 * frag->len is the frag payload data plus the frag payload header,
 	 * whose size is sizeof(*frag) 
 	 */
-	if (msg->l < sizeof(*isakmp) + ntohs(frag->len)) {
+	if (msg->l < sizeof(*isakmp) + ntohs(frag->len) ||
+	    ntohs(frag->len) < sizeof(*frag) + 1) {
 		plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n");
 		return -1;
 	}
openSUSE Build Service is sponsored by