--- /dev/null
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0790
+
+--- a/programs/pluto/ikev1.c
++++ b/programs/pluto/ikev1.c
+@@ -657,9 +657,17 @@ informational(struct msg_digest *md)
+ switch (n->isan_type)
+ {
+ case R_U_THERE:
++ if(st==NULL) {
++ loglog(RC_LOG_SERIOUS, "received bogus R_U_THERE informational message");
++ return STF_IGNORE;
++ }
+ return dpd_inI_outR(st, n, n_pbs);
+
+ case R_U_THERE_ACK:
++ if(st==NULL) {
++ loglog(RC_LOG_SERIOUS, "received bogus R_U_THERE_ACK informational message");
++ return STF_IGNORE;
++ }
+ return dpd_inR(st, n, n_pbs);
+
+ case PAYLOAD_MALFORMED:
--- /dev/null
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2185
+
+--- a/lib/libopenswan/asn1.c
++++ b/lib/libopenswan/asn1.c
+@@ -11,7 +11,6 @@
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+- * RCSID $Id: asn1.c,v 1.10 2005/08/05 17:33:27 mcr Exp $
+ */
+
+ #include <stdlib.h>
+@@ -107,6 +106,14 @@ asn1_length(chunk_t *blob)
+ len = 256*len + *blob->ptr++;
+ blob->len--;
+ }
++ if (len > blob->len)
++ {
++ DBG(DBG_PARSING,
++ DBG_log("length is larger than remaining blob size")
++ )
++ return ASN1_INVALID_LENGTH;
++ }
++
+ return len;
+ }
+
+@@ -237,13 +244,21 @@ asn1totime(const chunk_t *utctime, asn1_
+ int tz_hour, tz_min;
+
+ sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
++ if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
++ {
++ return 0; /* error in positive timezone offset format */
++ }
++
+ tz_offset = 3600*tz_hour + 60*tz_min; /* positive time zone offset */
+ }
+ else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
+ {
+ int tz_hour, tz_min;
+
+- sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
++ if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
++ {
++ return 0; /* error in negative timezone offset format */
++ }
+ tz_offset = -3600*tz_hour - 60*tz_min; /* negative time zone offset */
+ }
+ else
+@@ -255,14 +270,22 @@ asn1totime(const chunk_t *utctime, asn1_
+ const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
+ "%4d%2d%2d%2d%2d";
+
+- sscanf((char *)utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
+- &t.tm_hour, &t.tm_min);
++ if (sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
++ &t.tm_hour, &t.tm_min) != 5)
++ {
++ return 0; /* error in time st [yy]yymmddhhmm time format */
++ }
++
+ }
+
+ /* is there a seconds field? */
+ if ((eot - (char *)utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
+ {
+- sscanf(eot-2, "%2d", &t.tm_sec);
++ if (sscanf(eot-2, "%2d", &t.tm_sec) != 1)
++ {
++ return 0; /* error in ss seconds field format */
++ }
++
+ }
+ else
+ {
+@@ -283,7 +306,11 @@ asn1totime(const chunk_t *utctime, asn1_
+ t.tm_year += 100;
+ }
+
+- /* representation of month 0..11*/
++ if (t.tm_mon < 1 || t.tm_mon > 12)
++ {
++ return 0; /* error in month format */
++ }
++ /* representation of month 0..11 in struct tm */
+ t.tm_mon--;
+
+ /* set daylight saving time to off */
projects / openwrt / svn-archive / archive.git / commitdiff