mirror of
https://github.com/SoftEtherVPN/SoftEtherVPN.git
synced 2024-11-22 17:39:53 +03:00
Compare commits
1 Commits
ecb0beb30d
...
d334225864
Author | SHA1 | Date | |
---|---|---|---|
|
d334225864 |
1
.github/workflows/fedora-rawhide.yml
vendored
1
.github/workflows/fedora-rawhide.yml
vendored
@ -4,7 +4,6 @@ on:
|
|||||||
schedule:
|
schedule:
|
||||||
- cron: "0 0 25 * *"
|
- cron: "0 0 25 * *"
|
||||||
push:
|
push:
|
||||||
pull_request:
|
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
|
@ -3,7 +3,7 @@ cmake_minimum_required(VERSION 3.10)
|
|||||||
set(BUILD_NUMBER CACHE STRING "The number of the current build.")
|
set(BUILD_NUMBER CACHE STRING "The number of the current build.")
|
||||||
|
|
||||||
if ("${BUILD_NUMBER}" STREQUAL "")
|
if ("${BUILD_NUMBER}" STREQUAL "")
|
||||||
set(BUILD_NUMBER "5186")
|
set(BUILD_NUMBER "5185")
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
if (BUILD_NUMBER LESS 5180)
|
if (BUILD_NUMBER LESS 5180)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
{
|
{
|
||||||
"environments": [ { "BuildNumber": "5186" } ],
|
"environments": [ { "BuildNumber": "5185" } ],
|
||||||
"configurations": [
|
"configurations": [
|
||||||
{
|
{
|
||||||
"name": "x64-native",
|
"name": "x64-native",
|
||||||
|
@ -463,13 +463,39 @@ void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
|
|||||||
seq = READ_UINT(src + sizeof(UINT));
|
seq = READ_UINT(src + sizeof(UINT));
|
||||||
|
|
||||||
// Search and retrieve the IPsec SA from SPI
|
// Search and retrieve the IPsec SA from SPI
|
||||||
|
|
||||||
// thank to @phillibert report, responding to bad SA might lead to amplification
|
|
||||||
// according to RFC4303 we should drop such packets
|
|
||||||
|
|
||||||
ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi);
|
ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi);
|
||||||
if (ipsec_sa == NULL)
|
if (ipsec_sa == NULL)
|
||||||
{
|
{
|
||||||
|
// Invalid SPI
|
||||||
|
UINT64 init_cookie = Rand64();
|
||||||
|
UINT64 resp_cookie = 0;
|
||||||
|
IKE_CLIENT *c = NULL;
|
||||||
|
IKE_CLIENT t;
|
||||||
|
|
||||||
|
|
||||||
|
Copy(&t.ClientIP, &p->SrcIP, sizeof(IP));
|
||||||
|
t.ClientPort = p->SrcPort;
|
||||||
|
Copy(&t.ServerIP, &p->DstIP, sizeof(IP));
|
||||||
|
t.ServerPort = p->DestPort;
|
||||||
|
t.CurrentIkeSa = NULL;
|
||||||
|
|
||||||
|
if (p->DestPort == IPSEC_PORT_IPSEC_ESP_RAW)
|
||||||
|
{
|
||||||
|
t.ClientPort = t.ServerPort = IPSEC_PORT_IPSEC_ISAKMP;
|
||||||
|
}
|
||||||
|
|
||||||
|
c = Search(ike->ClientList, &t);
|
||||||
|
|
||||||
|
if (c != NULL && c->CurrentIkeSa != NULL)
|
||||||
|
{
|
||||||
|
init_cookie = c->CurrentIkeSa->InitiatorCookie;
|
||||||
|
resp_cookie = c->CurrentIkeSa->ResponderCookie;
|
||||||
|
}
|
||||||
|
|
||||||
|
SendInformationalExchangePacketEx(ike, (c == NULL ? &t : c), IkeNewNoticeErrorInvalidSpiPayload(spi), false,
|
||||||
|
init_cookie, resp_cookie);
|
||||||
|
|
||||||
|
SendDeleteIPsecSaPacket(ike, (c == NULL ? &t : c), spi);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user