| Message ID | 20200415073017.22839-1-lstipakov@gmail.com |
|---|---|
| State | Accepted |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id +JiUB2S4ll46aQAAIUCqbw for <patchwork@openvpn.net>; Wed, 15 Apr 2020 03:31:48 -0400 Received: from proxy2.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id QDBlB2S4ll4vMQAAIasKDg ; Wed, 15 Apr 2020 03:31:48 -0400 Received: from smtp25.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.ord1d.rsapps.net with LMTP id oJsSB2S4ll6uVwAAfawv4w ; Wed, 15 Apr 2020 03:31:48 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp25.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 293c4a18-7eeb-11ea-bbf3-b8ca3a673c88-1-1 Received: from [216.105.38.7] ([216.105.38.7:45144] helo=lists.sourceforge.net) by smtp25.gate.ord1c.rsapps.net (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id BD/9A-28421-268B69E5; Wed, 15 Apr 2020 03:31:46 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) id 1jOcVZ-0008HX-E5; Wed, 15 Apr 2020 07:30:53 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <lstipakov@gmail.com>) id 1jOcVY-0008HR-Ma for openvpn-devel@lists.sourceforge.net; Wed, 15 Apr 2020 07:30:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=WQvNgLfrHimljJ783Nq/5DwKCK2giOASS8UpKS/6c7I=; b=k15gagPRJ1k/G4sNgC0pYiSdJp hOjapPFgEmif2VkjHjn9pt0TJEhJplKM6gk4ZcLS8TtOAwF8Y5LaTy3c62Jm3INgAxn1LJ2yh0yP0 pdoJ8PpPqNV5VbGPcf69eDI7IDT6YuhRCf0bA5xs3ldep4r9uhnul67geklWEBV9CuEA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=WQvNgLfrHimljJ783Nq/5DwKCK2giOASS8UpKS/6c7I=; b=EeYlmT0qRfPOo5JiRV0c7PHUdw EcvWumC+eE9BuU9UczE6yObHrtXkrK1Esy0xwQABB6B+lakv1f4Qdh7IWmg1zclEXG9AQ/uVYRMj/ VFUsehwws3vKILhkxo9IMg1hZfibsOMb8YPEoc2pLb32SkS9sQKrxbT78whRqdz2tMnI=; Received: from mail-wm1-f53.google.com ([209.85.128.53]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1jOcVU-001uKJ-2H for openvpn-devel@lists.sourceforge.net; Wed, 15 Apr 2020 07:30:52 +0000 Received: by mail-wm1-f53.google.com with SMTP id x4so16155957wmj.1 for <openvpn-devel@lists.sourceforge.net>; Wed, 15 Apr 2020 00:30:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=WQvNgLfrHimljJ783Nq/5DwKCK2giOASS8UpKS/6c7I=; b=TdpLqpG5mo8fJhw/TTNOAXQ9JoGS1D+sOz2hIslEfT3B56tbh2UJSp3DTrt1LZOogo Cu5NvQ4W1SITArORnVrRQvu6eJXNzxBoU8D6hrSo/C+ikyO+DgY5tBW2WOxVSGBvwkz8 lsNUwirP2/O7guujNgDt2wBGZbektsw5e4cDwWnY6jOzlPLknaHb7CZEC0tvkdTYOAuY y38DR6rrDH1IHjmHkM8lHiyq6zAmhuS9NTJil4HZip4jcO+Zz00SfkXiDRKIXEN3ffzY pntHOkykqgeUKkArei/ZW/lpkFSG4utzAL+NA5Rw4u4m9AMkgMaducKDx52AcAgppUlv tV3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=WQvNgLfrHimljJ783Nq/5DwKCK2giOASS8UpKS/6c7I=; b=fzcaTRGQRlaTCCUXCMMSpyILVt2z2DL6yT0RmnalsQypdfR2alFrBTMs7oTDhp8Tg/ wjQzGHf+NHLm4qoR8Jl2L/zR4rTi4HOG3k7Iy2JrhnSIVelNLdh2m7ItNmxf4nCiejfw yLaSqCm8AfBnXDpK/ySMb7tCkz1LjS7taZSVc2OAYpCzDTqj+DEjyX0cd83tMsOXlLQU gTa1ajGviugBMzLQwsi5rdAs/uOKlcsTj94ZCeGIxzVWN41UhuyiyDtJzBncbc1F+fM3 wb/sJj6FjflH65DOqxiyAHhi+uR17AC/Rv+nA8EoedaIMLXbZphxaTxxhR84OxuwKCrf nizw== X-Gm-Message-State: AGi0PuYGM0+xbqvenf4Emo3B7kXkIZbgdpOvjcB18CYZVX1fHUyaDObd tPiWqL00LjzlGueIvrDEbYWII7TMaIc= X-Google-Smtp-Source: APiQypIb2eqx0x6aGtC4OOVHgTOpCoOW6/DBASTiXFBee/67YyFFR2qZmNA6yN3ayIWoOIuBtM94wQ== X-Received: by 2002:a1c:678a:: with SMTP id b132mr3841139wmc.107.1586935839970; Wed, 15 Apr 2020 00:30:39 -0700 (PDT) Received: from localhost.localdomain (nat4.panoulu.net. [185.38.2.4]) by smtp.gmail.com with ESMTPSA id q8sm21196548wmg.22.2020.04.15.00.30.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Apr 2020 00:30:39 -0700 (PDT) From: Lev Stipakov <lstipakov@gmail.com> To: openvpn-devel@lists.sourceforge.net Date: Wed, 15 Apr 2020 10:30:17 +0300 Message-Id: <20200415073017.22839-1-lstipakov@gmail.com> X-Mailer: git-send-email 2.26.1 In-Reply-To: <b6450eb9-93db-63b9-7e13-4cacbcad39c9@rfc2549.org> References: <b6450eb9-93db-63b9-7e13-4cacbcad39c9@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (lstipakov[at]gmail.com) 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -0.8 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.53 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.53 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1jOcVU-001uKJ-2H Subject: [Openvpn-devel] [PATCH v2] Fix illegal client float X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: <openvpn-devel.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>, <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel> List-Post: <mailto:openvpn-devel@lists.sourceforge.net> List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>, <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe> Cc: Lev Stipakov <lev@openvpn.net> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox |
| Series |
[Openvpn-devel,v2] Fix illegal client float
|
|
Commit Message
Lev Stipakov
April 14, 2020, 9:30 p.m. UTC
From: Lev Stipakov <lev@openvpn.net> There is a time frame between allocating peer-id and initializing data channel key, which is performed on receiving push request. If a "rogue" data channel packet arrives during that time frame from another address and with same peer-id, this would cause client to float to that new address. This is because: - tls_pre_decrypt() sets packet length to zero if data channel key has not been initialized, which leads to - openvpn_decrypt() returns true if packet length is zero, which leads to - process_incoming_link_part1() returns true, which calls multi_process_float(), which commits float Note that problem doesn't happen when data channel key is initialized, since in this case openvpn_decrypt() returns false. Fix illegal float by adding buffer length check before calling multi_process_float(). This should fix Trac #1272. Signed-off-by: Lev Stipakov <lev@openvpn.net> --- v2: add comment explaning why nonzero check needed src/openvpn/multi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
Comments
Am 15.04.20 um 09:30 schrieb Lev Stipakov: > From: Lev Stipakov <lev@openvpn.net> > > There is a time frame between allocating peer-id and initializing data > channel key, which is performed on receiving push request. > > If a "rogue" data channel packet arrives during that time frame from > another address and with same peer-id, this would cause client to float > to that new address. This is because: > > - tls_pre_decrypt() sets packet length to zero if > data channel key has not been initialized, which leads to > > - openvpn_decrypt() returns true if packet length is zero, > which leads to > > - process_incoming_link_part1() returns true, which > calls multi_process_float(), which commits float > > Note that problem doesn't happen when data channel key > is initialized, since in this case openvpn_decrypt() returns false. > > Fix illegal float by adding buffer length check before calling > multi_process_float(). > > This should fix Trac #1272. > > Signed-off-by: Lev Stipakov <lev@openvpn.net> > --- > v2: add comment explaning why nonzero check needed > > src/openvpn/multi.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c > index da0aeeba..37d2a6f2 100644 > --- a/src/openvpn/multi.c > +++ b/src/openvpn/multi.c > @@ -2555,7 +2555,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst > orig_buf = c->c2.buf.data; > if (process_incoming_link_part1(c, lsi, floated)) > { > - if (floated) > + /* nonzero length means that we have a valid, decrypted packed */ > + if (floated && c->c2.buf.len > 0) > { > multi_process_float(m, m->pending); > } > Thanks! Acked-By: Arne Schwabe <arne@rfc2549.org>
Hi, On 15/04/2020 11:32, Arne Schwabe wrote: > Am 15.04.20 um 09:30 schrieb Lev Stipakov: >> From: Lev Stipakov <lev@openvpn.net> >> >> There is a time frame between allocating peer-id and initializing data >> channel key, which is performed on receiving push request. >> >> If a "rogue" data channel packet arrives during that time frame from >> another address and with same peer-id, this would cause client to float >> to that new address. This is because: >> >> - tls_pre_decrypt() sets packet length to zero if >> data channel key has not been initialized, which leads to >> >> - openvpn_decrypt() returns true if packet length is zero, >> which leads to >> >> - process_incoming_link_part1() returns true, which >> calls multi_process_float(), which commits float >> >> Note that problem doesn't happen when data channel key >> is initialized, since in this case openvpn_decrypt() returns false. >> >> Fix illegal float by adding buffer length check before calling >> multi_process_float(). >> >> This should fix Trac #1272. >> >> Signed-off-by: Lev Stipakov <lev@openvpn.net> >> --- >> v2: add comment explaning why nonzero check needed >> >> src/openvpn/multi.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c >> index da0aeeba..37d2a6f2 100644 >> --- a/src/openvpn/multi.c >> +++ b/src/openvpn/multi.c >> @@ -2555,7 +2555,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst >> orig_buf = c->c2.buf.data; >> if (process_incoming_link_part1(c, lsi, floated)) >> { >> - if (floated) >> + /* nonzero length means that we have a valid, decrypted packed */ >> + if (floated && c->c2.buf.len > 0) >> { >> multi_process_float(m, m->pending); >> } >> > Thanks! > > Acked-By: Arne Schwabe <arne@rfc2549.org> just went through the entire flow with Lev and David and this all makes a lot of sense now. Couldn't come up with a better fix for this issue. Acked-by: Antonio Quartulli <antonio@openvpn.net>
Your patch has been applied to the master and release/2.4 branch (bugfix).
I have amended the commit message to make it more clear what is the
risk (DoS against another random user of the same server, but no traffic
injection or stealing)
Code change is "obviously correct". Have still given it a t_client
run for good measure :-)
commit 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab (master)
commit f7b318f811bb43c0d3aa7f337ec6242ed2c33881 (release/2.4)
Author: Lev Stipakov
Date: Wed Apr 15 10:30:17 2020 +0300
Fix illegal client float (CVE-2020-11810)
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200415073017.22839-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
kind regards,
Gert Doering
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index da0aeeba..37d2a6f2 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2555,7 +2555,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst orig_buf = c->c2.buf.data; if (process_incoming_link_part1(c, lsi, floated)) { - if (floated) + /* nonzero length means that we have a valid, decrypted packed */ + if (floated && c->c2.buf.len > 0) { multi_process_float(m, m->pending); }