From patchwork Thu Dec 28 22:54:00 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 162 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director2.mail.ord1d.rsapps.net ([172.30.191.6]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id ENHEAjAxTlpdTgAAgoeIoA for ; Thu, 04 Jan 2018 08:50:40 -0500 Received: from proxy8.mail.ord1d.rsapps.net ([172.30.191.6]) by director2.mail.ord1d.rsapps.net (Dovecot) with LMTP id pYYdADAxTlqKAgAAgYhSiA ; Thu, 04 Jan 2018 08:50:40 -0500 Received: from smtp16.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1d.rsapps.net (Dovecot) with LMTP id guN1HDAxTlp0XQAAGdz6CA ; Thu, 04 Jan 2018 08:50:40 -0500 X-Spam-Exception: WHITELISTED X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: patchwork@openvpn.net X-Originating-Ip: [184.106.54.101] Authentication-Results: smtp16.gate.ord1d.rsapps.net; iprev=pass policy.iprev="184.106.54.101"; spf=pass smtp.mailfrom="samuli@openvpn.net" smtp.helo="smtp101.ord1d.emailsrvr.com"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=fox-it.com X-Classification-ID: 4023b6be-f156-11e7-a7c1-525400ca3ad5-1-1 Received: from [184.106.54.101] ([184.106.54.101:58166] helo=smtp101.ord1d.emailsrvr.com) by smtp16.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 86/D5-18432-0313E4A5; Thu, 04 Jan 2018 08:50:40 -0500 Received: from smtp21.relay.ord1d.emailsrvr.com (localhost [127.0.0.1]) by smtp21.relay.ord1d.emailsrvr.com (SMTP Server) with ESMTP id 584D560076 for ; Thu, 4 Jan 2018 08:50:40 -0500 (EST) X-Auth-ID: samuli@openvpn.net Received: by smtp21.relay.ord1d.emailsrvr.com (Authenticated sender: samuli-AT-openvpn.net) with ESMTPSA id CE6DD60088 for ; Thu, 4 Jan 2018 08:50:39 -0500 (EST) X-Sender-Id: samuli@openvpn.net Received: from [192.168.15.45] (91-159-32-223.elisa-laajakaista.fi [91.159.32.223]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA) by 0.0.0.0:465 (trex/5.7.12); Thu, 04 Jan 2018 08:50:40 -0500 Resent-From: =?utf-8?q?Samuli_Sepp=C3=A4nen?= Resent-To: patchwork@openvpn.net Resent-Date: Thu, 4 Jan 2018 15:50:38 +0200 Resent-Message-ID: <6db782eb-d385-4434-5a73-cde18747d579@openvpn.net> Resent-User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 Received: from MBX10C-ORD1.mex06.mlsrvr.com (172.29.1.28) by MBX10C-ORD1.mex06.mlsrvr.com (172.29.1.28) with Microsoft SMTP Server (TLS) id 15.0.1293.2 via Mailbox Transport; Fri, 29 Dec 2017 03:54:49 -0600 Received: from MBX12C-ORD1.mex06.mlsrvr.com (172.29.1.34) by MBX10C-ORD1.mex06.mlsrvr.com (172.29.1.28) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Fri, 29 Dec 2017 03:54:49 -0600 Received: from gate.forward.smtp.iad3a.emailsrvr.com (204.232.172.40) by MBX12C-ORD1.mex06.mlsrvr.com (172.29.1.34) with Microsoft SMTP Server (TLS) id 15.0.1293.2 via Frontend Transport; Fri, 29 Dec 2017 03:54:49 -0600 Received: from [216.34.181.88] ([216.34.181.88:57347] helo=lists.sourceforge.net) by smtp10.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id AC/1E-14831-8E0164A5; Fri, 29 Dec 2017 04:54:49 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-4.v29.ch3.sourceforge.com) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eUrMm-0006XN-Ud; Fri, 29 Dec 2017 09:54:16 +0000 Received: from sfi-mx-4.v28.ch3.sourceforge.com ([172.29.28.194] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eUrMl-0006XH-1A for openvpn-devel@lists.sourceforge.net; Fri, 29 Dec 2017 09:54:15 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:CC:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=g9k7IMLMSiZ6Qmp3nZXa+RLGPJH2qRn5Y16EuceX6t8=; b=Hik09A1O8f+0ve3lj9cuGLZ/Ah n2qDgKP7q8g1XMNCHV2Mne7X0WJ0aN/u7rPzdrWEc8ROwGM0FD3i+a0HyeISSaTq/SBPvrhzY/9OH c7aAk0KkvelLVpcUGIo4Izbx10A0z3S90mBhXEieY4c+zNPUg0XpAwATqGnHCSnKlcSA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject: CC:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=g9k7IMLMSiZ6Qmp3nZXa+RLGPJH2qRn5Y16EuceX6t8=; b=LFn3Pue5p1Oqa8DqMPBkXko1QI Dhpaxpazd+YCwTuDVFXhx3QrjL3waZ775/vD8eShXOwXwx5e97va5ugAZUmsgYDFtSp5+HTdNQjBb pNEYfR+PEnA8UAzwJJkrvtY1N9WxfePAs7/8K+iLxkYi2BNqpjtveCRZrxzPyONvNeeY=; Received: from ns2.fox-it.com ([178.250.144.131]) by sfi-mx-4.v28.ch3.sourceforge.com with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.89) id 1eUrMk-00054T-8b for openvpn-devel@lists.sourceforge.net; Fri, 29 Dec 2017 09:54:14 +0000 Received: from FOXDFT52.FOX.local (unknown [10.0.0.129]) by ns2.fox-it.com (Postfix) with ESMTPS id 38E4B1AF767 for ; Fri, 29 Dec 2017 10:54:08 +0100 (CET) Received: from steffan-fox.fox.local (10.0.3.167) by FOXDFT52.FOX.local (10.0.0.129) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Fri, 29 Dec 2017 10:54:07 +0100 From: Steffan Karger To: Date: Fri, 29 Dec 2017 10:54:00 +0100 Message-ID: <1514541240-19536-1-git-send-email-steffan.karger@fox-it.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: References: X-ClientProxiedBy: FOXDFT52.FOX.local (10.0.0.129) To FOXDFT52.FOX.local (10.0.0.129) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1eUrMk-00054T-8b Subject: [Openvpn-devel] [PATCH 4/5 v2] buffer_list_aggregate_separator(): prevent 0-byte malloc X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-MS-Exchange-Organization-Network-Message-Id: 36ef09f3-0bd1-4c36-734e-08d54ea2332a X-MS-Exchange-Organization-AVStamp-Mailbox: SMEXzs^g;1387100;0;This mail has been scanned by Trend Micro ScanMail for Microsoft Exchange; X-MS-Exchange-Organization-AuthSource: MBX12C-ORD1.mex06.mlsrvr.com X-MS-Exchange-Organization-AuthAs: Anonymous MIME-Version: 1.0 X-getmail-retrieved-from-mailbox: Inbox As pointed out in finding OVPN-05 of the cryptograpy engineering audit (funded by Private Internet Access), buffer_list_aggregate_separator() could perform a 0-byte malloc when called with a list of 0-length buffers and a "" separator. If other could would later try to access that buffer memory, this would result in undefined behaviour. To prevent this, always malloc() 1 byte. To simplify as we go, use alloc_buf() to allocate the buffer. This has the additional benefit that the actual buffer data (not the contents) is zero-terminated, because alloc_buf() calls calloc() and we have 1 extra byte of data. Signed-off-by: Steffan Karger Acked-by: Antonio Quartulli --- v2: add spaces around '+' src/openvpn/buffer.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index 2656702..cfe6f2c 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -1251,8 +1251,7 @@ buffer_list_aggregate_separator(struct buffer_list *bl, const size_t max_len, struct buffer_entry *e = bl->head, *f; ALLOC_OBJ_CLEAR(f, struct buffer_entry); - f->buf.data = malloc(size); - check_malloc_return(f->buf.data); + f->buf = alloc_buf(size + 1); /* prevent 0-byte malloc */ f->buf.capacity = size; for (i = 0; e && i < count; ++i) {