From 55d97625b8f658a4c6cacb3dd74fcc53937f1f7a Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 18 Jan 2009 18:00:46 +0000 Subject: doing replay protection before learning remote host added some length checks for incoming packets --- src/anytun.cpp | 21 +++++++++++++-------- src/anytun.suo | Bin 42496 -> 44544 bytes src/encryptedPacket.cpp | 5 +++++ src/encryptedPacket.h | 8 +++++++- src/plainPacket.cpp | 5 +++++ src/plainPacket.h | 8 +++++++- 6 files changed, 37 insertions(+), 10 deletions(-) diff --git a/src/anytun.cpp b/src/anytun.cpp index a2d7f05..47d2cb6 100644 --- a/src/anytun.cpp +++ b/src/anytun.cpp @@ -258,6 +258,8 @@ void receiver(void* p) // read packet from socket u_int32_t len = param->src.recv(encrypted_packet.getBuf(), encrypted_packet.getLength(), remote_end); + if(len < EncryptedPacket::getHeaderLength()) + continue; // ignore short packets encrypted_packet.setLength(len); mux_t mux = encrypted_packet.getMux(); @@ -279,6 +281,14 @@ void receiver(void* p) continue; } + // Replay Protection + if(conn.seq_window_.checkAndAdd(encrypted_packet.getSenderId(), encrypted_packet.getSeqNr())) + { + cLog.msg(Log::PRIO_NOTICE) << "Replay attack from " << conn.remote_end_ + << " seq:"<< encrypted_packet.getSeqNr() << " sid: "<< encrypted_packet.getSenderId(); + continue; + } + //Allow dynamic IP changes //TODO: add command line option to turn this off if (remote_end != conn.remote_end_) @@ -290,15 +300,10 @@ void receiver(void* p) gSyncQueue.push(sc); #endif } - - // Replay Protection - if(conn.seq_window_.checkAndAdd(encrypted_packet.getSenderId(), encrypted_packet.getSeqNr())) - { - cLog.msg(Log::PRIO_NOTICE) << "Replay attack from " << conn.remote_end_ - << " seq:"<< encrypted_packet.getSeqNr() << " sid: "<< encrypted_packet.getSenderId(); + // ignore zero length packets + if(encrypted_packet.getPayloadLength() <= PlainPacket::getHeaderLength()) continue; - } - + // decrypt packet c->decrypt(conn.kd_, encrypted_packet, plain_packet); diff --git a/src/anytun.suo b/src/anytun.suo index 847888f..dcee7a5 100644 Binary files a/src/anytun.suo and b/src/anytun.suo differ diff --git a/src/encryptedPacket.cpp b/src/encryptedPacket.cpp index b580a8a..692d221 100644 --- a/src/encryptedPacket.cpp +++ b/src/encryptedPacket.cpp @@ -52,6 +52,11 @@ EncryptedPacket::EncryptedPacket(u_int32_t payload_length, bool allow_realloc) } } +u_int32_t EncryptedPacket::getHeaderLength() +{ + return sizeof(struct HeaderStruct); +} + seq_nr_t EncryptedPacket::getSeqNr() const { if(header_) diff --git a/src/encryptedPacket.h b/src/encryptedPacket.h index ac67950..4f64022 100644 --- a/src/encryptedPacket.h +++ b/src/encryptedPacket.h @@ -52,6 +52,12 @@ public: */ ~EncryptedPacket() {}; + /** + * Get the length of the header + * @return the length of the header + */ + static u_int32_t getHeaderLength(); + /** * Get the sequence number * @return seqence number @@ -100,7 +106,7 @@ public: * Get the length of the payload * @return the length of the payload */ - u_int32_t getPayloadLength() const; + u_int32_t getPayloadLength() const; /** * Set the length of the payload diff --git a/src/plainPacket.cpp b/src/plainPacket.cpp index a12a7c8..6d06b3f 100644 --- a/src/plainPacket.cpp +++ b/src/plainPacket.cpp @@ -42,6 +42,11 @@ PlainPacket::PlainPacket(u_int32_t payload_length, bool allow_realloc) : Buffer( *payload_type_ = 0; } +u_int32_t PlainPacket::getHeaderLength() +{ + return sizeof(payload_type_t); +} + payload_type_t PlainPacket::getPayloadType() const { if(payload_type_) diff --git a/src/plainPacket.h b/src/plainPacket.h index a66f3fc..5919c32 100644 --- a/src/plainPacket.h +++ b/src/plainPacket.h @@ -63,6 +63,12 @@ public: */ ~PlainPacket() {}; + /** + * Get the length of the header + * @return the length of the header + */ + static u_int32_t getHeaderLength(); + /** * Get the payload type * @return the id of the payload type @@ -79,7 +85,7 @@ public: * Get the length of the payload * @return the length of the payload */ - u_int32_t getPayloadLength() const; + u_int32_t getPayloadLength() const; /** * Set the length of the payload -- cgit v1.2.3