isakmpd(8): Fix NULL dereference in message_alloc_reply() callers
message_alloc_reply() dereferences the returned pointer of
message_alloc() without a NULL check. Add one so callers can handle
the failure.
Also add NULL checks at both call sites in exchange.c.
test & ok sthen
isakmpd(8): Fix possible unaligned 32 bit read
When validating IPsec SPIs in a DELETE message, access to the
32 bit SPI value might be unaligned. On platforms requiring strict
alignment, this would cause termination of isakmpd by signal.
To avoid this, memcpy(3) the SPI value to a local variable.
test & ok sthen
isakmpd(8): Validate DELETE payload SPI array size [2/2]
Similar to message_validate_delete() also validate in
ipsec_handle_leftover_payload() that the provided number of SPIs
actually fit in the payload. This is redundant as we already would
bail out in message_validate_delete().
test & ok sthen
isakmpd(8): Validate DELETE payload SPI array size [1/2]
The number of SPIs provided in a DELETE message is not properly
validated. This might cause a read beyond the message end. However,
the outside read is limited to 4 bytes for IPsec SAs and 16 bytes
for ISAKMP SAs. A crash is possible, but seems unlikely to me.
test & ok sthen
isakmpd(8): Validate proposal and transform sizes
Check
- that a proposal payload fits within the outer SA payload,
- that the provided SPI and the following transform header fit within
the proposal, and
- transforms fit within the outer proposal payload.
It's already ensured that we never read outside the message. However,
within the message the mentioned payloads might be misinterpreted due
to malformed size values.
test & ok sthen
in inteldrm_burner_cb() call fb_blank() instead of drm_fb_helper_blank()
this indirectly calls intel_fbdev_blank(), which does
drm_fb_helper_blank() followed by intel_fbdev_invalidate()
avoids on screen garbage when wscons screen blanking is enabled on
mvs' Alder Lake and Gemini Lake machines.
