Fix ESP replay integer overflow problems

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
sailfishos-mirror · Aug 30, 2016 · 1663acb · 1663acb
1 parent dadfde8
commit 1663acb
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/esp.c b/esp.c
@@ -57,7 +57,7 @@ int verify_packet_seqno(struct openconnect_info *vpninfo,
 			     _("Accepting expected ESP packet with seq %u\n"),
 			     seq);
 		return 0;
-	} else if (seq + 33 < esp->seq) {
+	} else if (esp->seq > 33 && seq < esp->seq - 33) {
 		/* Too old. We can't know if it's a replay. */
 		vpn_progress(vpninfo, PRG_DEBUG,
 			     _("Discarding ancient ESP packet with seq %u (expected %u)\n"),
@@ -80,7 +80,7 @@ int verify_packet_seqno(struct openconnect_info *vpninfo,
 		return -EINVAL;
 	} else {
 		/* The packet we were expecting has gone missing; this one is newer. */
-		int delta = seq - esp->seq;
+		uint32_t delta = seq - esp->seq;
 
 		if (delta >= 32) {
 			/* We jumped a long way into the future. We have not seen

diff --git a/www/changelog.xml b/www/changelog.xml
@@ -15,6 +15,7 @@
 <ul>
    <li><b>OpenConnect HEAD</b>
      <ul>
+       <li>Fix integer overflow issues with ESP packet replay detection.</li>
        <li>Add <tt>--pass-tos</tt> option as in OpenVPN.</li>
        <li>Support rôle selection form in Juniper VPN.</li>
        <li>Support DER-format certificates, add certificate format torture tests.</li>