From 258bf7ea0fe69bae395a084843ba59b9770199f1 Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri, 12 Apr 2013 17:15:05 +0200
Subject: [PATCH] Drop packets forwarded via TCP if they are too big
 (CVE-2013-1428).

Normally all requests sent via the meta connections are checked so that they
cannot be larger than the input buffer. However, when packets are forwarded via
meta connections, they are copied into a packet buffer without checking whether
it fits into it. Since the packet buffer is allocated on the stack, this in
effect allows an authenticated remote node to cause a stack overflow.

This issue was found by Martin Schobert.
---
 src/net.h           |  1 +
 src/net_packet.c    |  3 +++
 src/net_setup.c     |  3 +++
 src/protocol_auth.c | 11 +++++++++++
 4 files changed, 18 insertions(+)

diff --git a/src/net.h b/src/net.h
index 8d236dad..879dfffb 100644
--- a/src/net.h
+++ b/src/net.h
@@ -135,6 +135,7 @@ extern int udp_sndbuf;
 extern bool do_prune;
 extern char *myport;
 extern int autoconnect;
+extern bool disablebuggypeers;
 extern int contradicting_add_edge;
 extern int contradicting_del_edge;
 extern time_t last_config_check;
diff --git a/src/net_packet.c b/src/net_packet.c
index 8a4cebd0..27ca7148 100644
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -443,6 +443,9 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 void receive_tcppacket(connection_t *c, const char *buffer, int len) {
 	vpn_packet_t outpkt;
 
+	if(len > sizeof outpkt.data)
+		return;
+
 	outpkt.len = len;
 	if(c->options & OPTION_TCPONLY)
 		outpkt.priority = 0;
diff --git a/src/net_setup.c b/src/net_setup.c
index 488cb7c6..bf0c5a50 100644
--- a/src/net_setup.c
+++ b/src/net_setup.c
@@ -52,6 +52,7 @@ char *proxyuser;
 char *proxypass;
 proxytype_t proxytype;
 int autoconnect;
+bool disablebuggypeers;
 
 char *scriptinterpreter;
 char *scriptextension;
@@ -598,6 +599,8 @@ bool setup_myself_reloadable(void) {
 
 	get_config_int(lookup_config(config_tree, "AutoConnect"), &autoconnect);
 
+	get_config_bool(lookup_config(config_tree, "DisableBuggyPeers"), &disablebuggypeers);
+
 	return true;
 }
 
diff --git a/src/protocol_auth.c b/src/protocol_auth.c
index ba5db2ea..5f2dcaa2 100644
--- a/src/protocol_auth.c
+++ b/src/protocol_auth.c
@@ -510,6 +510,17 @@ bool send_ack(connection_t *c) {
 static void send_everything(connection_t *c) {
 	/* Send all known subnets and edges */
 
+	if(disablebuggypeers) {
+		static struct {
+			vpn_packet_t pkt;
+			char pad[MAXBUFSIZE - MAXSIZE];
+		} zeropkt;
+
+		memset(&zeropkt, 0, sizeof zeropkt);
+		zeropkt.pkt.len = MAXBUFSIZE;
+		send_tcppacket(c, &zeropkt.pkt);
+	}
+
 	if(tunnelserver) {
 		for splay_each(subnet_t, s, myself->subnet_tree)
 			send_add_subnet(c, s);
-- 
2.39.2