From patchwork Fri Oct 20 06:25:56 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 34 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director3.mail.ord1d.rsapps.net ([172.30.191.6]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id c6dSGPUx6lkLfwAAgoeIoA for ; Fri, 20 Oct 2017 13:27:17 -0400 Received: from proxy11.mail.ord1d.rsapps.net ([172.30.191.6]) by director3.mail.ord1d.rsapps.net (Dovecot) with LMTP id i+/yF/Ux6ll7AwAAkXNnRw ; Fri, 20 Oct 2017 13:27:17 -0400 Received: from smtp13.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.ord1d.rsapps.net (Dovecot) with LMTP id EsXQCr4x6lmpJAAAgKDEHA ; Fri, 20 Oct 2017 13:27:17 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-298-992-1204-w 0-298-992-1568-w 0-298-0-7327-f X-CMAE-Scan-Result: 0 X-CNFS-Analysis: v=2.2 cv=Tqukv3fh c=1 sm=1 tr=0 a=Q8DxjiC8O3VT/NpP1XjEZQ==:117 a=Q8DxjiC8O3VT/NpP1XjEZQ==:17 a=kj9zAlcOel0A:10 a=x7bEGLp0ZPQA:10 a=yLqVZIfK32oA:10 a=02M-m0pO-4AA:10 a=WiVod9pSvdkA:10 a=pGLkceISAAAA:8 a=9sSjY8p1AAAA:8 a=P_JWiMecAAAA:8 a=FP58Ms26AAAA:8 a=e8Y76__cAGTsDfWv5rAA:9 a=CjuIK1q_8ugA:10 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=ub54wNWiXv_DzeFsgEJW:22 a=D0-HAvA3Hk9NMREbgwuX:22 X-Orig-To: justin@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp13.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Classification-ID: eb549c46-b5bb-11e7-b96e-525400b197d9-1-1 Received: from [216.34.181.88] ([216.34.181.88:36178] helo=lists.sourceforge.net) by smtp13.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 44/03-31791-5F13AE95; Fri, 20 Oct 2017 13:27:17 -0400 Received: from localhost ([127.0.0.1] helo=sfs-ml-3.v29.ch3.sourceforge.com) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1e5b4L-0001Jc-If; Fri, 20 Oct 2017 17:26:49 +0000 Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.89) (envelope-from ) id 1e5b4K-0001JV-Ei for openvpn-devel@lists.sourceforge.net; Fri, 20 Oct 2017 17:26:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From; bh=mwYQ29GH8f6PbHzwEqumx7kPPZQ6yl4XavzDY0lYKVI=; b=bFPCimC0mg1p4Ti7IAbYUixn6/ba7pVBv7cOaVWo0wJvl4isWlb0B1CLKV8yN6Y4MzhxP2VRxd7vs1bK7VHKlzzGo4qEvrG2HcvAYmexeUfWwBhcOCESsUXz4MddDMSsFVm6A1/lZUANQA6pfT/cC+0c+fokhshOtA5WPrlAbD8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x; h=Message-Id:Date:Subject:Cc:To:From; bh=mwYQ29GH8f6PbHzwEqumx7kPPZQ6yl4XavzDY0lYKVI=; b=aRH8x07MpDWUingjSh0ueeSGFy2n/LUuvSfFQ+PItbzCKp2eoLrTXMJhPMHoLjnVtlIQxYLvoy+Q35ogw6y+9CX2lp2p59bypZTChByWogeaX/rkr2Zt5/FQcoxIYNZt9cGtCVdOO584+o3Ker05J0PhERhUMQNFhzKWqZIEjlU=; X-ACL-Warn: Received: from scala.nanotech.utoronto.ca ([128.100.226.29]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) id 1e5b4J-0001vu-OL for openvpn-devel@lists.sourceforge.net; Fri, 20 Oct 2017 17:26:48 +0000 Received: by scala.nanotech.utoronto.ca (Postfix, from userid 1000) id B728B838BD; Fri, 20 Oct 2017 13:25:58 -0400 (EDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Fri, 20 Oct 2017 13:25:56 -0400 Message-Id: <1508520356-18277-1-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.6.2 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list X-Headers-End: 1e5b4J-0001vu-OL Subject: [Openvpn-devel] [PATCH] Avoid illegal memory access when malformed data is read from the pipe X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair - If only 1 byte is read from the interactive service client pipe, that evaluates to zero wide characters and subsequent check for NUL termination in the data buffer segfaults. Fix: reject clients that send less than a complete wide character. Signed-off-by: Selva Nair --- src/openvpnserv/interactive.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index f3be113..0d162e8 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -466,6 +466,13 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud) } size = bytes / sizeof(*data); + if (size == 0) + { + MsgToEventLog(M_SYSERR, TEXT("malformed startup data: 1 byte received")); + ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event); + goto out; + } + data = malloc(bytes); if (data == NULL) {