Prevent oracle attacks in the legacy protocol (CVE-2018-16737, CVE-2018-16738)

[tinc] / src / net_packet.c

diff --git a/src/net_packet.c b/src/net_packet.c
index ee2b316..a516b4a 100644 (file)
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -152,11 +152,11 @@ static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
                len = ntohs(len16);
        }
 
-       if (n->udp_ping_sent.tv_sec != 0) { // a probe in flight
+       if(n->udp_ping_sent.tv_sec != 0) {  // a probe in flight
                gettimeofday(&now, NULL);
                struct timeval rtt;
                timersub(&now, &n->udp_ping_sent, &rtt);
-               n->udp_ping_rtt = rtt.tv_sec*1000000 + rtt.tv_usec;
+               n->udp_ping_rtt = rtt.tv_sec * 1000000 + rtt.tv_usec;
                logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s) rtt=%d.%03d", DATA(packet)[0], len, n->name, n->hostname, n->udp_ping_rtt / 1000, n->udp_ping_rtt % 1000);
        } else {
                logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname);
@@ -167,7 +167,6 @@ static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
           packet used. */
        if(!n->status.udp_confirmed) {
                n->status.udp_confirmed = true;
-               fprintf(stderr, "Updating address cache...\n");
 
                if(!n->address_cache) {
                        n->address_cache = open_address_cache(n);
@@ -462,7 +461,11 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 
                inpkt = outpkt;
 
-               origlen -= MTU / 64 + 20;
+               if(origlen > MTU / 64 + 20) {
+                       origlen -= MTU / 64 + 20;
+               } else {
+                       origlen = 0;
+               }
        }
 
        if(inpkt->len > n->maxrecentlen) {