From e8f0baf7cebe5c5ba676955edab5e9ba7a58d6e6 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@anytun.org>
Date: Wed, 13 Jan 2010 02:27:16 +0000
Subject: added security fix to release branch

---
 ChangeLog      | 4 ++++
 src/anytun.cpp | 5 +++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index f53739c..519ac27 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2010.01.13 
+
+* Security fix: packet length check errors
+
 2009.12.02 -- Version 0.3.2
 
 * added 64bit build target to windows build system
diff --git a/src/anytun.cpp b/src/anytun.cpp
index de8429f..70a5276 100644
--- a/src/anytun.cpp
+++ b/src/anytun.cpp
@@ -227,7 +227,8 @@ void receiver(TunDevice* dev, PacketSource* src)
     std::auto_ptr<Cipher> c(CipherFactory::create(gOpt.getCipher(), KD_INBOUND));
     std::auto_ptr<AuthAlgo> a(AuthAlgoFactory::create(gOpt.getAuthAlgo(), KD_INBOUND));
     
-    EncryptedPacket encrypted_packet(MAX_PACKET_LENGTH, gOpt.getAuthTagLength());
+    u_int32_t auth_tag_length = gOpt.getAuthTagLength();
+    EncryptedPacket encrypted_packet(MAX_PACKET_LENGTH, auth_tag_length);
     PlainPacket plain_packet(MAX_PACKET_LENGTH);
     
     while(1) {
@@ -249,7 +250,7 @@ void receiver(TunDevice* dev, PacketSource* src)
       if(len < 0)
         continue; // silently ignore socket recv errors, this is probably no good idea...
 
-      if(static_cast<u_int32_t>(len) < EncryptedPacket::getHeaderLength())
+      if(static_cast<u_int32_t>(len) < (EncryptedPacket::getHeaderLength() + auth_tag_length))
         continue; // ignore short packets
       encrypted_packet.setLength(len);
       
-- 
cgit v1.2.3