From patchwork Tue Apr 14 21:30:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lev Stipakov X-Patchwork-Id: 1079 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id +JiUB2S4ll46aQAAIUCqbw for ; Wed, 15 Apr 2020 03:31:48 -0400 Received: from proxy2.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id QDBlB2S4ll4vMQAAIasKDg ; Wed, 15 Apr 2020 03:31:48 -0400 Received: from smtp25.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.ord1d.rsapps.net with LMTP id oJsSB2S4ll6uVwAAfawv4w ; Wed, 15 Apr 2020 03:31:48 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp25.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 293c4a18-7eeb-11ea-bbf3-b8ca3a673c88-1-1 Received: from [216.105.38.7] ([216.105.38.7:45144] helo=lists.sourceforge.net) by smtp25.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id BD/9A-28421-268B69E5; Wed, 15 Apr 2020 03:31:46 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jOcVZ-0008HX-E5; Wed, 15 Apr 2020 07:30:53 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jOcVY-0008HR-Ma for openvpn-devel@lists.sourceforge.net; Wed, 15 Apr 2020 07:30:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=WQvNgLfrHimljJ783Nq/5DwKCK2giOASS8UpKS/6c7I=; b=k15gagPRJ1k/G4sNgC0pYiSdJp hOjapPFgEmif2VkjHjn9pt0TJEhJplKM6gk4ZcLS8TtOAwF8Y5LaTy3c62Jm3INgAxn1LJ2yh0yP0 pdoJ8PpPqNV5VbGPcf69eDI7IDT6YuhRCf0bA5xs3ldep4r9uhnul67geklWEBV9CuEA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=WQvNgLfrHimljJ783Nq/5DwKCK2giOASS8UpKS/6c7I=; b=EeYlmT0qRfPOo5JiRV0c7PHUdw EcvWumC+eE9BuU9UczE6yObHrtXkrK1Esy0xwQABB6B+lakv1f4Qdh7IWmg1zclEXG9AQ/uVYRMj/ VFUsehwws3vKILhkxo9IMg1hZfibsOMb8YPEoc2pLb32SkS9sQKrxbT78whRqdz2tMnI=; Received: from mail-wm1-f53.google.com ([209.85.128.53]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1jOcVU-001uKJ-2H for openvpn-devel@lists.sourceforge.net; Wed, 15 Apr 2020 07:30:52 +0000 Received: by mail-wm1-f53.google.com with SMTP id x4so16155957wmj.1 for ; Wed, 15 Apr 2020 00:30:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=WQvNgLfrHimljJ783Nq/5DwKCK2giOASS8UpKS/6c7I=; b=TdpLqpG5mo8fJhw/TTNOAXQ9JoGS1D+sOz2hIslEfT3B56tbh2UJSp3DTrt1LZOogo Cu5NvQ4W1SITArORnVrRQvu6eJXNzxBoU8D6hrSo/C+ikyO+DgY5tBW2WOxVSGBvwkz8 lsNUwirP2/O7guujNgDt2wBGZbektsw5e4cDwWnY6jOzlPLknaHb7CZEC0tvkdTYOAuY y38DR6rrDH1IHjmHkM8lHiyq6zAmhuS9NTJil4HZip4jcO+Zz00SfkXiDRKIXEN3ffzY pntHOkykqgeUKkArei/ZW/lpkFSG4utzAL+NA5Rw4u4m9AMkgMaducKDx52AcAgppUlv tV3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=WQvNgLfrHimljJ783Nq/5DwKCK2giOASS8UpKS/6c7I=; b=fzcaTRGQRlaTCCUXCMMSpyILVt2z2DL6yT0RmnalsQypdfR2alFrBTMs7oTDhp8Tg/ wjQzGHf+NHLm4qoR8Jl2L/zR4rTi4HOG3k7Iy2JrhnSIVelNLdh2m7ItNmxf4nCiejfw yLaSqCm8AfBnXDpK/ySMb7tCkz1LjS7taZSVc2OAYpCzDTqj+DEjyX0cd83tMsOXlLQU gTa1ajGviugBMzLQwsi5rdAs/uOKlcsTj94ZCeGIxzVWN41UhuyiyDtJzBncbc1F+fM3 wb/sJj6FjflH65DOqxiyAHhi+uR17AC/Rv+nA8EoedaIMLXbZphxaTxxhR84OxuwKCrf nizw== X-Gm-Message-State: AGi0PuYGM0+xbqvenf4Emo3B7kXkIZbgdpOvjcB18CYZVX1fHUyaDObd tPiWqL00LjzlGueIvrDEbYWII7TMaIc= X-Google-Smtp-Source: APiQypIb2eqx0x6aGtC4OOVHgTOpCoOW6/DBASTiXFBee/67YyFFR2qZmNA6yN3ayIWoOIuBtM94wQ== X-Received: by 2002:a1c:678a:: with SMTP id b132mr3841139wmc.107.1586935839970; Wed, 15 Apr 2020 00:30:39 -0700 (PDT) Received: from localhost.localdomain (nat4.panoulu.net. [185.38.2.4]) by smtp.gmail.com with ESMTPSA id q8sm21196548wmg.22.2020.04.15.00.30.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Apr 2020 00:30:39 -0700 (PDT) From: Lev Stipakov To: openvpn-devel@lists.sourceforge.net Date: Wed, 15 Apr 2020 10:30:17 +0300 Message-Id: <20200415073017.22839-1-lstipakov@gmail.com> X-Mailer: git-send-email 2.26.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (lstipakov[at]gmail.com) 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -0.8 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.53 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.53 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1jOcVU-001uKJ-2H Subject: [Openvpn-devel] [PATCH v2] Fix illegal client float X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Lev Stipakov There is a time frame between allocating peer-id and initializing data channel key, which is performed on receiving push request. If a "rogue" data channel packet arrives during that time frame from another address and with same peer-id, this would cause client to float to that new address. This is because: - tls_pre_decrypt() sets packet length to zero if data channel key has not been initialized, which leads to - openvpn_decrypt() returns true if packet length is zero, which leads to - process_incoming_link_part1() returns true, which calls multi_process_float(), which commits float Note that problem doesn't happen when data channel key is initialized, since in this case openvpn_decrypt() returns false. Fix illegal float by adding buffer length check before calling multi_process_float(). This should fix Trac #1272. Signed-off-by: Lev Stipakov Acked-By: Arne Schwabe Acked-by: Antonio Quartulli --- v2: add comment explaning why nonzero check needed src/openvpn/multi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index da0aeeba..37d2a6f2 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2555,7 +2555,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst orig_buf = c->c2.buf.data; if (process_incoming_link_part1(c, lsi, floated)) { - if (floated) + /* nonzero length means that we have a valid, decrypted packed */ + if (floated && c->c2.buf.len > 0) { multi_process_float(m, m->pending); }