Fix Vulnerability: CVE-2023-22325 TALOS-2023-1736

SoftEther VPN DCRegister DDNS_RPC_MAX_RECV_SIZE denial of service vulnerability https://www.softether.org/9-about/News/904-SEVPN202301 https://jvn.jp/en/jp/JVN64316789/
2025-07-08 00:34:57 +03:00 · 2023-09-28 18:26:17 +09:00
parent b8e542105f
commit c49e462ed1
3 changed files with 8 additions and 2 deletions
--- a/src/Mayaqua/Network.c
+++ b/src/Mayaqua/Network.c
@ -1191,7 +1191,9 @@ void RUDPProcess_NatT_Recv(RUDP_STACK *r, UDPPACKET *udp)
 		bool is_ok = PackGetBool(p, "ok");
 		UINT64 tran_id = PackGetInt64(p, "tran_id");

-		ExtractAndApplyDynList(p);
+		// This ExtractAndApplyDynList() calling was removed because it is not actually used and could be abused by
+		// illegal UDP packets that spoof the source IP address. 2023-6-14 Daiyuu Nobori
+		// ExtractAndApplyDynList(p);

 		if (r->ServerMode)
 		{