From patchwork Thu Dec 15 19:01:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2918 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp631598dyk; Thu, 15 Dec 2022 11:02:17 -0800 (PST) X-Google-Smtp-Source: AA0mqf53Ei+1yTd/WtDUStRwpDf+XzSVR1qzB08a3fDsXBp6itLDJnzEt5ZUSQBkJgD7jatiTBcc X-Received: by 2002:a05:7500:2d9a:b0:ea:78bf:c0de with SMTP id er26-20020a0575002d9a00b000ea78bfc0demr3196268gab.56.1671130936853; Thu, 15 Dec 2022 11:02:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671130936; cv=none; d=google.com; s=arc-20160816; b=qXlSJ8nv0syd/7eWaUttC71lucWZCN0iGeLrU3jic6EtlOwyD2YGfchd8BE99y1h31 8GbeWZlApCEMAVY6B8lYfMufTf5FMjKB0Y+ZfxX3Luzu3yltM1yt5yCFwNRDLXXOy6p1 RGEACPlLySTPaIt62+sUI9vYqR1jc1yg7nNb0Y19l4uF09MSVEnCBiGZqR6rbP9UsXHj gbo8kZ+vlWXMIRl0AZomQzLA6dRz0H1sa3WU8lB4WYGsscLs/BRMpO9/ACRZSYho4E8V yNdESFR+k/nVgl2z2zIvZ8YOn2eQlESX0Ri/teLxO25eMt1wblpoZ75qT0eWjzUJOCzQ 6TbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=BJVXDtxgEirjH8NyO5By+qDp9fJbPFF5cIxdkWIlrFs=; b=vIrvsgIhlUL/xt6opdQp7MffeFsF/Hn1bMvYCGki4KzN1pCVE85p6Th1rLgVAqB3cJ 2B/qv8zh9MFG8ELHhwPeCIZMenikkPyji3Oxz7FILMH6mEce/FOWJQyGb7162e8x0AaG ik9UDdDG1yObX1w1ZtzlGwwvdSmcLMm+sbP3LA77zd8WZvl+9FZN0Z9kH6gseTg5nPqi lBXd+IlMlN2upVMCneIIy79pSeULNnARjGCdp84OkzMUMz00dTLyEeawV+3WsjjgPDGF mOvLtXHolMW+u6BycuwpNCgBOfcJAghe1JcMl2iK4nyJvucvRPTA9HzIEbDGP0k1SDvP /VUw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=JkJaJCG8; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=eHrKUiA+; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id q7-20020a67d787000000b003b0a5279979si1960712vsj.611.2022.12.15.11.02.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Dec 2022 11:02:16 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=JkJaJCG8; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=eHrKUiA+; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1p5tUY-0001yE-49; Thu, 15 Dec 2022 19:02:02 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1p5tUS-0001xH-Vb for openvpn-devel@lists.sourceforge.net; Thu, 15 Dec 2022 19:01:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=kft++lb5mWfu4oaNQTvi7+noKz0ZM4S5GLugv8Ho9jo=; b=JkJaJCG88lZFofkLwLTlAtVORJ yrtv50vT6kppF/vMofbXGnS8kJimqeiQCrhOV+hpwZdS+FHig8LBPsn1+cHjyX8J/kyr0ueic1Dv7 61QePghj0U/O/oMWKjV0XYJ3pq4ROOEpJAXsDX2Fva9VEemXwg1MMVRBZfFjPM4O4Rvk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=kft++lb5mWfu4oaNQTvi7+noKz0ZM4S5GLugv8Ho9jo=; b=eHrKUiA+hrpxd22YwwSpeGo9rV HOpHokhJD8Ivwq7RNBGnxSwKFkMkQpWpPisoH3ivzf4RQoYfEY2ntJS8rEnepcAUO9RX50LRhOx1F wwu9GehUw/J1e6L9RKgod4jGDAhhh0hQBuY73iw+4gmpo2YexU84aJCjRfo9tcHhNPAA=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1p5tUR-000hym-UG for openvpn-devel@lists.sourceforge.net; Thu, 15 Dec 2022 19:01:56 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1p5tUF-000Kw0-AN for openvpn-devel@lists.sourceforge.net; Thu, 15 Dec 2022 20:01:43 +0100 Received: (nullmailer pid 2107950 invoked by uid 10006); Thu, 15 Dec 2022 19:01:43 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 15 Dec 2022 20:01:38 +0100 Message-Id: <20221215190143.2107896-4-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221215190143.2107896-1-arne@rfc2549.org> References: <20221215190143.2107896-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This fixes two places were we do not have enough space in the array of parameters given to parse_line for the final NULL parameter that signal the end of the parsed argument errors. Both these cases can lead to a buffer overflow. But both of these cases require root/admin access to OpenVPN: Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1p5tUR-000hym-UG Subject: [Openvpn-devel] [PATCH 3/8] Ensure that argument to parse_line has always space for final sentinel X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1752307792862370143?= X-GMAIL-MSGID: =?utf-8?q?1752307792862370143?= This fixes two places were we do not have enough space in the array of parameters given to parse_line for the final NULL parameter that signal the end of the parsed argument errors. Both these cases can lead to a buffer overflow. But both of these cases require root/admin access to OpenVPN: - parse_argv, only able to trigger if starting openvpn from the command line, at this point you cannot gain more privileges than you already have. Way to reproduce, compile with ASAN and run: openvpn --tls-verify a a a a a a a a a a a a a a a - remove_iroutes_from_push_route_list This operates on the list of pushed entries that is generated by the server itself. So trigger this, you need to have control over config, management interface, a plugin or cdd files. The parse_argv problem was found by Trial of Bits. I found the remove_iroutes_from_push_route_list problem by looking for similar problems. Reported-By: Trial of Bits (TOB-OVPN-4) Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/options.c | 9 ++++----- src/openvpn/push.c | 4 ++-- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e48e4b459..1d6c0572c 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -5310,8 +5310,6 @@ parse_argv(struct options *options, unsigned int *option_types_found, struct env_set *es) { - int i, j; - /* usage message */ if (argc <= 1) { @@ -5321,7 +5319,7 @@ parse_argv(struct options *options, /* config filename specified only? */ if (argc == 2 && strncmp(argv[1], "--", 2)) { - char *p[MAX_PARMS]; + char *p[MAX_PARMS+1]; CLEAR(p); p[0] = "config"; p[1] = argv[1]; @@ -5331,9 +5329,9 @@ parse_argv(struct options *options, else { /* parse command line */ - for (i = 1; i < argc; ++i) + for (int i = 1; i < argc; ++i) { - char *p[MAX_PARMS]; + char *p[MAX_PARMS+1]; CLEAR(p); p[0] = argv[i]; if (strncmp(p[0], "--", 2)) @@ -5345,6 +5343,7 @@ parse_argv(struct options *options, p[0] += 2; } + int j; for (j = 1; j < MAX_PARMS; ++j) { if (i + j < argc) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index f8c747d44..ad2f3c656 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -1096,13 +1096,13 @@ remove_iroutes_from_push_route_list(struct options *o) /* cycle through the push list */ while (e) { - char *p[MAX_PARMS]; + char *p[MAX_PARMS+1]; bool enable = true; /* parse the push item */ CLEAR(p); if (e->enable - && parse_line(e->option, p, SIZE(p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc)) + && parse_line(e->option, p, SIZE(p)-1, "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc)) { /* is the push item a route directive? */ if (p[0] && !strcmp(p[0], "route") && !p[3] && o->iroutes)