From fb9e3337a5cb91d74a805c0611826eb1c103b92c Mon Sep 17 00:00:00 2001 From: Thomas Reim Date: Tue, 2 Oct 2018 09:43:03 +0200 Subject: [PATCH] Fix isakmp fragmentation bug in CVE-2016-10396 patch When applying NetBSD's CVE-2016-10396 patch Apple iPhones, which use a racoon client for IPSec based VPN access, cannot connect anymore to racoon VPN on the racoon server. Following server log entries outline the failure: Sep 14 06:42:28 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch Sep 14 06:42:28 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch Sep 14 06:42:32 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch Sep 14 06:42:32 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch Sep 14 06:42:39 vpnserver racoon[1775]: ERROR: phase1 negotiation failed due to time up. This update fixes a bug in the CVE-2016-10396 patch, which prevents racoon server from identifying a completely reassembled isakmp fragment chain. Signed-off-by: Thomas Reim --- debian/patches/CVE-2016-10396.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/patches/CVE-2016-10396.patch b/debian/patches/CVE-2016-10396.patch index e123007..f8af408 100644 --- a/debian/patches/CVE-2016-10396.patch +++ b/debian/patches/CVE-2016-10396.patch @@ -119,7 +119,7 @@ Index: pkg-ipsec-tools/src/racoon/isakmp_frag.c } - if (item != NULL) /* It is complete */ -+ if (i > last_frag) /* It is complete */ ++ if (i >= last_frag) /* It is complete */ return 1; } -- 2.18.0