From 98f1b9718dbc53cb99a3eaea6e96247becdee07f Mon Sep 17 00:00:00 2001
From: bodea <bodea>
Date: Mon, 4 Dec 2006 20:50:02 +0000
Subject: [PATCH] Security: Rhys Kidd identified a vulnerability in the
 handling of heartbeat packets.  Drop oversize heartbeat packets.

---
 Changes     | 4 +++-
 THANKS      | 1 +
 cluster.c   | 8 ++++++--
 l2tpns.spec | 2 +-
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/Changes b/Changes
index a37c50e..05c4f9f 100644
--- a/Changes
+++ b/Changes
@@ -1,4 +1,4 @@
-* Thu Aug 3 2006 Brendan O'Dea <bod@optus.net> 2.2.0
+* Tue Dec 5 2006 Brendan O'Dea <bod@optus.net> 2.2.0
 - Only poll clifd if successfully bound.
 - Add "Practical VPNs" document from Liran Tal as Docs/vpn .
 - Add Multilink support from Khaled Al Hamwi.
@@ -12,6 +12,8 @@
 - Fix sign problem with reporting of unknown RADIUS VSAs.
 - Allow DNS servers to be specified either using the old or new
   vendor-specific Ascend formats.
+- Security: Rhys Kidd identified a vulnerability in the handling of
+  heartbeat packets.  Drop oversize heartbeat packets.
 
 * Tue Apr 18 2006 Brendan O'Dea <bod@optus.net> 2.1.18
 - Don't shutdown on TerminateReq, wait for CDN.
diff --git a/THANKS b/THANKS
index 5fbe93a..bc38c6d 100644
--- a/THANKS
+++ b/THANKS
@@ -28,3 +28,4 @@ Jonathan Yarden            <jyarden@bluegrass.net>
 Patrick Cole               <z@amused.net>
 Khaled Al Hamwi            <kh.alhamwi@gmail.com>
 Graham Maltby              <gmaltby+l2tpns@iig.com.au>
+Rhys Kidd                  <rhys.kidd@staff.westnet.com.au>
diff --git a/cluster.c b/cluster.c
index e250196..015268a 100644
--- a/cluster.c
+++ b/cluster.c
@@ -1,6 +1,6 @@
 // L2TPNS Clustering Stuff
 
-char const *cvs_id_cluster = "$Id: cluster.c,v 1.53 2006/07/17 07:53:08 bodea Exp $";
+char const *cvs_id_cluster = "$Id: cluster.c,v 1.54 2006/12/04 20:50:02 bodea Exp $";
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -1453,7 +1453,11 @@ static int cluster_process_heartbeat(uint8_t *data, int size, int more, uint8_t
 		return -1; // Ignore it??
 	}
 
-		// Ok. It's a heartbeat packet from a cluster master!
+	if (size > sizeof(past_hearts[0].data)) {
+		LOG(0, 0, 0, "Received an oversize heartbeat from %s (%d)!\n", fmtaddr(addr, 0), size);
+		return -1;
+	}
+
 	if (s < sizeof(*h))
 		goto shortpacket;
 
diff --git a/l2tpns.spec b/l2tpns.spec
index d2a563b..dc03660 100644
--- a/l2tpns.spec
+++ b/l2tpns.spec
@@ -43,5 +43,5 @@ rm -rf %{buildroot}
 %attr(644,root,root) /usr/share/man/man[58]/*
 
 %changelog
-* Thu Aug 3 2006 Brendan O'Dea <bod@optus.net> 2.2.0-1
+* Tue Dec 5 2006 Brendan O'Dea <bod@optus.net> 2.2.0-1
 - 2.2.0 release, see /usr/share/doc/l2tpns-2.2.0/Changes
-- 
2.20.1