From 9076b3cc9b7aff863b934454e1289d43d3ae3a4a Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 11 Jul 2023 12:12:25 +0200 Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer overflow Seems this was forgotten in the referenced commit and actually could lead to a buffer overflow. Since charon-tkm is untrusted this isn't that much of an issue but could at least be easily exploited for a DoS attack as DH public values are set when handling IKE_SA_INIT requests. Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends") Fixes: CVE-2023-41913 --- src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c index 41b557edc213..03cbf6be7962 100644 --- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c @@ -69,11 +69,16 @@ METHOD(diffie_hellman_t, get_shared_secret, bool, return TRUE; } - METHOD(diffie_hellman_t, set_other_public_value, bool, private_tkm_diffie_hellman_t *this, chunk_t value) { dh_pubvalue_type othervalue; + + if (!diffie_hellman_verify_value(this->group, value) || + value.len > sizeof(othervalue.data)) + { + return FALSE; + } othervalue.size = value.len; memcpy(&othervalue.data, value.ptr, value.len); -- 2.34.1