[Openvpn-devel] Fix stack buffer overruns in NEXTADDR() macro:

Message ID 20200717170948.227787-1-matthias.andree@gmx.de
State Rejected
Headers show
Series
  • [Openvpn-devel] Fix stack buffer overruns in NEXTADDR() macro:
Related show

Commit Message

Matthias Andree July 17, 2020, 5:09 p.m.
copy first, then round up the length when adding padding
to the advance.

Found by: GCC 9.3.0 (FreeBSD)

Signed-off-by: Matthias Andree <matthias.andree@gmx.de>
---
 src/openvpn/route.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--
2.25.4

Comments

Matthias Andree July 17, 2020, 5:22 p.m. | #1
Am 17.07.20 um 19:09 schrieb Matthias Andree:
> @@ -3727,6 +3727,7 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6,
>          msg(M_WARN, "GDG6: socket #1 failed");
>          goto done;
>      }
> +    errno = 0;
>      if (write(sockfd, (char *)&m_rtmsg, l) < 0)
>      {
>          msg(M_WARN, "GDG6: problem writing to routing socket");

This line escaped, so NAK on the first version of the patch.

New patch was sent.

Patch

diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index b57da5dd..7f760e9d 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -3436,7 +3436,7 @@  struct rtmsg {
 #else  /* if defined(TARGET_SOLARIS) */
 #define NEXTADDR(w, u) \
     if (rtm_addrs & (w)) { \
-        l = ROUNDUP( ((struct sockaddr *)&(u))->sa_len); memmove(cp, &(u), l); cp += l; \
+        l = ((struct sockaddr *)&(u))->sa_len; memmove(cp, &(u), l); cp += ROUNDUP(l); \
     }

 #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
@@ -3727,6 +3727,7 @@  get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6,
         msg(M_WARN, "GDG6: socket #1 failed");
         goto done;
     }
+    errno = 0;
     if (write(sockfd, (char *)&m_rtmsg, l) < 0)
     {
         msg(M_WARN, "GDG6: problem writing to routing socket");