added security fix to release branchv0.3.2

2 files changed, 7 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index f53739c..519ac27 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2010.01.13 
+
+* Security fix: packet length check errors
+
 2009.12.02 -- Version 0.3.2
 
 * added 64bit build target to windows build system
diff --git a/src/anytun.cpp b/src/anytun.cpp
index de8429f..70a5276 100644
--- a/src/anytun.cpp
+++ b/src/anytun.cpp
@@ -227,7 +227,8 @@ void receiver(TunDevice* dev, PacketSource* src)
     std::auto_ptr<Cipher> c(CipherFactory::create(gOpt.getCipher(), KD_INBOUND));
     std::auto_ptr<AuthAlgo> a(AuthAlgoFactory::create(gOpt.getAuthAlgo(), KD_INBOUND));
     
-    EncryptedPacket encrypted_packet(MAX_PACKET_LENGTH, gOpt.getAuthTagLength());
+    u_int32_t auth_tag_length = gOpt.getAuthTagLength();
+    EncryptedPacket encrypted_packet(MAX_PACKET_LENGTH, auth_tag_length);
     PlainPacket plain_packet(MAX_PACKET_LENGTH);
     
     while(1) {
@@ -249,7 +250,7 @@ void receiver(TunDevice* dev, PacketSource* src)
       if(len < 0)
         continue; // silently ignore socket recv errors, this is probably no good idea...
 
-      if(static_cast<u_int32_t>(len) < EncryptedPacket::getHeaderLength())
+      if(static_cast<u_int32_t>(len) < (EncryptedPacket::getHeaderLength() + auth_tag_length))
         continue; // ignore short packets
       encrypted_packet.setLength(len);