diff mbox series

[Openvpn-devel,v1] socks: Fix wrong success check in socks_username_password_auth

Message ID 20260112180304.8742-1-gert@greenie.muc.de
State New
Headers show
Series [Openvpn-devel,v1] socks: Fix wrong success check in socks_username_password_auth | expand

Commit Message

Gert Doering Jan. 12, 2026, 6:02 p.m. UTC 
From: Frank Lichtenheld <frank@lichtenheld.com>

Due to wrong boolean operator the function did not
correctly detect when the authentication failed.

Reported-By: Joshua Rogers <contact@joshua.hu>
Found-By: ZeroPath (https://zeropath.com)
Github: openvpn-private-issues#4
Change-Id: I13b411fb3e8b913ae049c6ca8a1cf5a2edbab0fb
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1466
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1466
This mail reflects revision 1 of this Change.

Acked-by according to Gerrit (reflected above):
Gert Doering <gert@greenie.muc.de>

Comments

Gert Doering Jan. 13, 2026, 7:23 a.m. UTC | #1 
"Ooops".  Change makes sense.

Basically auth success is "(buf[0] == 5 && buf[1] == 0)", so auth fail
needs to properly negate that...  and this patch does.

Not tested beyond BB socks proxy t_client uses - which do not excercise
the "auth fail" case, and the "auth succeed" case still works.

Your patch has been applied to the master branch.

commit d104917e34be43890a86c532329780037e419085
Author: Frank Lichtenheld
Date:   Mon Jan 12 19:02:56 2026 +0100

     socks: Fix wrong success check in socks_username_password_auth

     Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1466
     Message-Id: <20260112180304.8742-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35219.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index ed2d9e9..1e99c9a 100644
--- a/src/openvpn/socks.c
+++ b/src/openvpn/socks.c
@@ -143,7 +143,7 @@ 
     }
 
     /* VER = 5, SUCCESS = 0 --> auth success */
-    if (buf[0] != 5 && buf[1] != 0)
+    if (buf[0] != 5 || buf[1] != 0)
     {
         msg(D_LINK_ERRORS, "socks_username_password_auth: server refused the authentication");
         goto cleanup;