Skip to content

Commit 1cfd70a

Browse files
tobhetobhe
committed
Move remote address update after ikev2_pld_parse() to make sure
the received packet is validated and authenticated before we update our connection state. Initially reported by IIJ Feedback and ok yasuoka@ markus@
1 parent 93c57ca commit 1cfd70a

File tree

1 file changed

+23
-14
lines changed

1 file changed

+23
-14
lines changed

sbin/iked/ikev2.c

+23-14
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
/* $OpenBSD: ikev2.c,v 1.390 2024/11/21 13:26:49 claudio Exp $ */
1+
/* $OpenBSD: ikev2.c,v 1.391 2025/03/13 17:49:37 tobhe Exp $ */
22

33
/*
44
* Copyright (c) 2019 Tobias Heider <[email protected]>
@@ -790,19 +790,6 @@ ikev2_recv(struct iked *env, struct iked_message *msg)
790790
sa->sa_msgid_current = msg->msg_msgid;
791791
}
792792

793-
if (sa_address(sa, &sa->sa_peer, (struct sockaddr *)&msg->msg_peer)
794-
== -1 ||
795-
sa_address(sa, &sa->sa_local, (struct sockaddr *)&msg->msg_local)
796-
== -1) {
797-
ikestat_inc(env, ikes_msg_rcvd_dropped);
798-
return;
799-
}
800-
801-
sa->sa_fd = msg->msg_fd;
802-
803-
log_debug("%s: updated SA to peer %s local %s", __func__,
804-
print_addr(&sa->sa_peer.addr), print_addr(&sa->sa_local.addr));
805-
806793
done:
807794
if (initiator)
808795
ikev2_init_recv(env, msg, hdr);
@@ -1218,6 +1205,17 @@ ikev2_init_recv(struct iked *env, struct iked_message *msg,
12181205
return;
12191206
}
12201207

1208+
if (sa_address(sa, &sa->sa_peer, (struct sockaddr *)&msg->msg_peer)
1209+
== -1 ||
1210+
sa_address(sa, &sa->sa_local, (struct sockaddr *)&msg->msg_local)
1211+
== -1) {
1212+
ikestat_inc(env, ikes_msg_rcvd_dropped);
1213+
return;
1214+
}
1215+
sa->sa_fd = msg->msg_fd;
1216+
log_debug("%s: updated SA to peer %s local %s", __func__,
1217+
print_addr(&sa->sa_peer.addr), print_addr(&sa->sa_local.addr));
1218+
12211219
if (sa->sa_fragments.frag_count != 0)
12221220
return;
12231221

@@ -2990,6 +2988,17 @@ ikev2_resp_recv(struct iked *env, struct iked_message *msg,
29902988
if ((sa = msg->msg_sa) == NULL)
29912989
return;
29922990

2991+
if (sa_address(sa, &sa->sa_peer, (struct sockaddr *)&msg->msg_peer)
2992+
== -1 ||
2993+
sa_address(sa, &sa->sa_local, (struct sockaddr *)&msg->msg_local)
2994+
== -1) {
2995+
ikestat_inc(env, ikes_msg_rcvd_dropped);
2996+
return;
2997+
}
2998+
sa->sa_fd = msg->msg_fd;
2999+
log_debug("%s: updated SA to peer %s local %s", __func__,
3000+
print_addr(&sa->sa_peer.addr), print_addr(&sa->sa_local.addr));
3001+
29933002
if (sa->sa_fragments.frag_count != 0)
29943003
return;
29953004

0 commit comments

Comments
 (0)