sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity

libipsec: Enforce a minimum of 256 for SPIs

Browse Source 
RFC 4303 reserves the SPIs between 1 and 255 for future use.  This also
avoids an overflow and a division by zero if spi_min is 0 and spi_max is
0xffffffff.
This commit is contained in:
Tobias Brunner 2017-03-02 11:51:27 +01:00
parent bb05b251b2
commit 9d8192bfcd
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/libipsec/ipsec_sa_mgr.c
View File

@ -401,7 +401,7 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t,
uint32_t spi_min, spi_max, spi_new;
spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
0x00000000, lib->ns);
0x00000100, lib->ns);
spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
0xffffffff, lib->ns);
if (spi_min > spi_max)
@ -410,6 +410,9 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t,
spi_min = spi_max;
spi_max = spi_new;
}
/* make sure the SPI is valid (not in range 0-255) */
spi_min = max(spi_min, 0x00000100);
spi_max = max(spi_max, 0x00000100);
this->mutex->lock(this->mutex);
if (!this->rng)
@ -433,8 +436,6 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t,
return FAILED;
}
spi_new = spi_min + spi_new % (spi_max - spi_min + 1);
/* make sure the SPI is valid (not in range 0-255) */
spi_new |= 0x00000100;
spi_new = htonl(spi_new);
}
while (!allocate_spi(this, spi_new));