From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Thu, 15 May 2014 00:54:18 +0000 (+0100)
Subject: site: SECURITY: Properly update full peer address array
X-Git-Tag: debian/0.3.2_beta1~19
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=secnet.git;a=commitdiff_plain;h=925c5ca83e5eb67604b837ce8d3e02fae2adb260

site: SECURITY: Properly update full peer address array

If we already have the maximum number of peer addresses, do not
stuff the peer address into the wrong slot.

If a site instance is configured with the maximum permissible limit on
the number of mobile peer addresses (ie with mobile-peers-max set to
5), this overruns the transport peers array.  In such a configuration
this is a security problem.  It looks like a denial of service and
privilege escalation can't be ruled out.  Configurations without
mobile peers are not affected.

Otherwise it simply means the address is ignored.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---

diff --git a/site.c b/site.c
index f87328f..f0a2922 100644
--- a/site.c
+++ b/site.c
@@ -1955,7 +1955,7 @@ static void transport_record_peer(struct site *st, transport_peers *peers,
 
     changed=1;
     if (peers->npeers==st->transport_peers_max)
-	slot=st->transport_peers_max;
+	slot=st->transport_peers_max-1;
     else
 	slot=peers->npeers++;