From patchwork Mon Jun 27 23:41:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2561 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id AGPqNBHNumLvJwAAIUCqbw (envelope-from ) for ; Tue, 28 Jun 2022 05:42:41 -0400 Received: from proxy4.mail.ord1c.rsapps.net ([172.28.255.1]) by director10.mail.ord1d.rsapps.net with LMTP id QAKsNBHNumLUbQAApN4f7A (envelope-from ) for ; Tue, 28 Jun 2022 05:42:41 -0400 Received: from smtp17.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1c.rsapps.net with LMTPS id 6BaNIw3NumJfBgAAjcXvpA (envelope-from ) for ; Tue, 28 Jun 2022 05:42:37 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp17.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: a7276dd6-f6c6-11ec-b257-bc305beffb0c-1-1 Received: from [216.105.38.7] ([216.105.38.7:51768] helo=lists.sourceforge.net) by smtp17.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 6A/7D-23559-11DCAB26; Tue, 28 Jun 2022 05:42:41 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1o67j1-0005fq-PL; Tue, 28 Jun 2022 09:41:38 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o67j0-0005fj-Kv for openvpn-devel@lists.sourceforge.net; Tue, 28 Jun 2022 09:41:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=sw6j95nukKAKuQu0zasbFz1QYp37RjPrub2S+b3fZ0g=; b=F9Qh9Xwa436PnvcgvaFpluES4r RUuqpKCgpN4LcdFTBqNjdmcKdm9r+ex0s2n+NNaIcVP03vGW512YEp+hBkr8BHThMs8oFtAxPVvY6 jsLU5kYjPmg8+i9aHzm8UzIlk1aail99s4zEwkQJfLapylI55sJvi7NaZ/+u6bornObw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=sw6j95nukKAKuQu0zasbFz1QYp37RjPrub2S+b3fZ0g=; b=H LKs4AsNbrxDNoWOv1CGP0oP/lkMw8uwY9bKSayjTrA0/dnWC0AGbpgvZGBg5kVQc/p3S72ZFsEJO2 IlirEN1ykMqBETAD1MfZ5nbAQ6R+qcIsAyj+FzRQ7MB8ueAaPSAgP+OA4xNAEMyiGRcjy9Bsy2vGX w1unDgpOz2dyFy1Y=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1o67iy-00GmB6-3f for openvpn-devel@lists.sourceforge.net; Tue, 28 Jun 2022 09:41:37 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Tue, 28 Jun 2022 11:41:44 +0200 Message-Id: <20220628094144.17471-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The tls-crypt-v2 key should be at least 2 bytes long in order to read the actual length. Bail out if the key is too short. Failing to do so will lead to a read out of the buffer boundary. While at it improve the error message a bit. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1o67iy-00GmB6-3f Subject: [Openvpn-devel] [PATCH] tls-crypt-v2: bail out if the client key is too small X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The tls-crypt-v2 key should be at least 2 bytes long in order to read the actual length. Bail out if the key is too short. Failing to do so will lead to a read out of the buffer boundary. While at it improve the error message a bit. Signed-off-by: Antonio Quartulli Acked-BY: Arne Schwabe --- src/openvpn/tls_crypt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 88730a99..2fc79111 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -557,7 +557,8 @@ tls_crypt_v2_extract_client_key(struct buffer *buf, if (BLEN(&wrapped_client_key) < sizeof(net_len)) { - msg(D_TLS_ERRORS, "failed to read length"); + msg(D_TLS_ERRORS, "Can not read tls-crypt-v2 client key length"); + return false; } memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len), sizeof(net_len));