encoding: Verify the length of KE payload data for known groups
authorMartin Willi <martin@revosec.ch>
Tue, 3 Feb 2015 15:40:14 +0000 (16:40 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 18 Mar 2015 12:33:25 +0000 (13:33 +0100)
commit84738b1aed955662106b272169915928e1232086
treeaed513e7bba38359ed9a7033660827875b058da5
parentb8ecdfd8952d4c9021db565f22adb87a9adaa8b0
encoding: Verify the length of KE payload data for known groups

IKE is very strict in the length of KE payloads, and it should be safe to
strictly verify their length. Not doing so is no direct threat, but allows DDoS
amplification by sending short KE payloads for large groups using the target
as the source address.
src/libcharon/encoding/payloads/ke_payload.c