KAME Racoon畸形ISAKMP包远程拒绝服务漏洞
发布日期:2004-04-19
更新日期:2004-04-26
受影响系统:KAME Racoon
- FreeBSD 4.9
- NetBSD 1.6
描述:
BUGTRAQ ID:
10172
racoon是KAME的IKE守护程序。
racoon在处理畸形ISAKMP包时存在拒绝服务问题,远程攻击者利用这个漏洞使应用程序消耗大量内存资源引起挂起或崩溃。
目前没有详细漏洞细节提供。
<*来源:KAME
*>
建议:
厂商补丁:
KAME
----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
===================================================================
RCS file: /cvsroot/kame/kame/kame/kame/racoon/isakmp.c,v
retrieving revision 1.180
retrieving revision 1.181
diff -u -p -r1.180 -r1.181
--- kame/kame/kame/racoon/isakmp.c 2004/03/03 05:39:58 1.180
+++ kame/kame/kame/racoon/isakmp.c 2004/03/31 03:14:39 1.181
@@ -1,4 +1,4 @@
-/* $KAME: isakmp.c,v 1.179 2003/11/13 02:30:20 sakane Exp $ */
+/* $KAME: isakmp.c,v 1.180 2004/03/03 05:39:58 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -181,6 +181,18 @@ isakmp_handler(so_isakmp)
plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
"packet shorter than isakmp header size.\n");
/* dummy receive */
+ if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
+ 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to receive isakmp packet\n");
+ }
+ goto end;
+ }
+
+ /* reject it if the size is tooooo big. */
+ if (ntohl(isakmp.len) > 0xffff) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "the length of the isakmp header is too big.\n");
if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
0, (struct sockaddr *)&remote, &remote_len)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
浏览次数:3390
严重程度:0(网友投票)
