message: Limit maximum number of IKEv2 fragments

The maximum for IKEv1 is already 255 due to the 8-bit fragment number. With an overhead of 17 bytes (x64) per fragment and a default maximum of 10000 bytes per packet the maximum memory required is 14 kB for a fragmented message.
2014-09-16 15:51:21 +02:00 · 2014-09-16 15:51:21 +02:00 · 8dbe128c8c
parent f00a9c1715
commit 8dbe128c8c
1 changed files with 11 additions and 1 deletions
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@ -930,6 +930,11 @@ struct private_message_t {
 	fragment_data_t *frag;
 };

+/**
+ * Maximum number of fragments we will handle
+ */
+#define MAX_FRAGMENTS 255
+
 /**
 * A single fragment within a fragmented message
 */
@ -2779,7 +2784,12 @@ METHOD(message_t, add_fragment_v2, status_t,
 	}
 	encrypted_fragment = (encrypted_fragment_payload_t*)payload;
 	total = encrypted_fragment->get_total_fragments(encrypted_fragment);
-
+	if (total > MAX_FRAGMENTS)
+	{
+		DBG1(DBG_IKE, "maximum fragment count exceeded");
+		reset_defrag(this);
+		return FAILED;
+	}
 	if (!this->fragments || total > this->frag->last)
 	{
 		reset_defrag(this);