[Openvpn-devel] Avoid illegal memory access when malformed data is read from the pipe

Message ID 1508520356-18277-1-git-send-email-selva.nair@gmail.com
State Accepted
Headers show
Series
  • [Openvpn-devel] Avoid illegal memory access when malformed data is read from the pipe
Related show

Commit Message

Selva Nair Oct. 20, 2017, 5:25 p.m.
From: Selva Nair <selva.nair@gmail.com>

- If only 1 byte is read from the interactive service client pipe, that
  evaluates to zero wide characters and subsequent check for NUL
  termination in the data buffer segfaults.
  Fix: reject clients that send less than a complete wide character.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
 src/openvpnserv/interactive.c | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Gert Doering Oct. 21, 2017, 6:49 a.m. | #1
Hi,

On Fri, Oct 20, 2017 at 01:25:56PM -0400, selva.nair@gmail.com wrote:
> From: Selva Nair <selva.nair@gmail.com>
> 
> - If only 1 byte is read from the interactive service client pipe, that
>   evaluates to zero wide characters and subsequent check for NUL
>   termination in the data buffer segfaults.
>   Fix: reject clients that send less than a complete wide character.

ACK.

(Not merging right now due to time constraints, but the patch does what
it says on the lid - thanks)

gert
Gert Doering Nov. 3, 2017, 6:22 p.m. | #2
ACK, and now with time to merge :-)

Your patch has been applied to the master and release/2.4 branch.

commit 6f20808c8f37301c43d822f6a22d30b3587abc57 (master)
commit 17884fa4ab2b3113559542404704402e5fce7643 (release/2.4)
Author: Selva Nair
Date:   Fri Oct 20 13:25:56 2017 -0400

     Avoid illegal memory access when malformed data is read from the pipe

     Signed-off-by: Selva Nair <selva.nair@gmail.com>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <1508520356-18277-1-git-send-email-selva.nair@gmail.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15657.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Patch

diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index f3be113..0d162e8 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -466,6 +466,13 @@  GetStartupData(HANDLE pipe, STARTUP_DATA *sud)
     }
 
     size = bytes / sizeof(*data);
+    if (size == 0)
+    {
+        MsgToEventLog(M_SYSERR, TEXT("malformed startup data: 1 byte received"));
+        ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event);
+        goto out;
+    }
+
     data = malloc(bytes);
     if (data == NULL)
     {