From aea1f3b7ba8258c11a9a542454ee3edad2fb5c20 Mon Sep 17 00:00:00 2001 From: jsg Date: Sat, 3 Feb 2024 00:54:14 +0000 Subject: [PATCH] fix off-by-one in bounds test found by "buffer overflow 'peerxfs' 6 <= 6" smatch error tobhe@ had a remote peer attempt a transform type of 6 and it is caught by earlier checks before getting here. ok tobhe@ --- sbin/iked/policy.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c index 1e39beac2ff..a9e783c82a4 100644 --- a/sbin/iked/policy.c +++ b/sbin/iked/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.97 2023/11/10 08:03:02 tobhe Exp $ */ +/* $OpenBSD: policy.c,v 1.98 2024/02/03 00:54:14 jsg Exp $ */ /* * Copyright (c) 2020-2021 Tobias Heider @@ -1091,7 +1091,7 @@ proposals_match(struct iked_proposal *local, struct iked_proposal *peer, for (i = 0; i < peer->prop_nxforms; i++) { tpeer = peer->prop_xforms + i; - if (tpeer->xform_type > IKEV2_XFORMTYPE_MAX) + if (tpeer->xform_type >= IKEV2_XFORMTYPE_MAX) continue; if (noauth && tpeer->xform_type == IKEV2_XFORMTYPE_INTEGR) return (0); -- 2.20.1