From patchwork Mon Mar 13 13:33:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3125 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp1507274dye; Mon, 13 Mar 2023 06:34:38 -0700 (PDT) X-Google-Smtp-Source: AK7set/MVXp3CQBJskDFveGpCAN/QnkFAIjiI7ZQjIVmyKQ7tWOFCF0b1ckLt5HEGd4eIK68T6bL X-Received: by 2002:a05:6a20:2448:b0:cc:f47b:9a with SMTP id t8-20020a056a20244800b000ccf47b009amr37246411pzc.1.1678714478251; Mon, 13 Mar 2023 06:34:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1678714478; cv=none; d=google.com; s=arc-20160816; b=lfdkNVSb6+AXFDh1dnwH/wEI/gyebjYrcceBkib04hzJQ318oKX5l2nH024RKCeQg7 rkAtpuFhVBWajlWAyHologMvKpl8YrESL1GQqCmESN2/px3JsGR/MYIV50hAka4o8Zj/ rLxUhOPEJYJypyQyufRjkMsABr9fVEajGFBmJzckaVRfxxv8acNDFrRrFqGu2mTGCAFl O8t6hefAa121V9kb1ZWRQXrjXVQJ+SSNjF17cDb+c6RtFaiJLhMBNViBwyF0+t2DuLAz j+HRLSoXzBAHai70PMV/R0E+6FBQHJcuvjMS93iZFjm+QtUOBW0QbZFPzNxR+HvSVHw2 pUgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=Qce+h9r0EyjJASag7ZjY6RAY89cyJ69yIHw+DVZaTsU=; b=vM67zcw5PJm7F1B1OkhJqFcGs1G6ApdVvZTHrPxqEKma6y17vN1T4oevC4rhPRUHYw WTCFfMOnhCYq3cdiwJ6qs9hbRJ0GYdiuIF6aW9hRhq9fV1qp3ZBYa37/7tv8VqcBJkta 0Fxr+/5JFEj9/1uQ0k+of89nzUX4K41YyxjOCyUzBoGxtrK6YGdwBdZxwF7bH39UH2o+ m+hjA1EQ7FU5XwYbg2YzsXG9JSAdFER3R33UYPehIkjkIJvo6BSKJb9nzFFFvjbnhYxu /sdRk7PSYIMyz7vsSm4pZBqNfsDEs/+1MeuntXY+ACb74f/M2eqE61qDL924W6RecQR9 r4Kg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="kFyGwi/W"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=KQYkfPMB; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id e37-20020a635025000000b00502f49a9b86si6637773pgb.635.2023.03.13.06.34.37 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Mar 2023 06:34:38 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="kFyGwi/W"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=KQYkfPMB; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pbiJ6-0002GH-6c; Mon, 13 Mar 2023 13:33:44 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pbiJ3-0002GB-Ur for openvpn-devel@lists.sourceforge.net; Mon, 13 Mar 2023 13:33:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Nh7CvQ/uEFmVyxqhOhJ0hmQGI1bc6PW3SlFprUTwa7M=; b=kFyGwi/WLxWimdwkC/pkVbcQZL 2/1049+bXjCaDuFyidWnlUWvtEOGktZbrbcF8SlnXfUCP4ClmTGdxYZjkRj5TTKYzmD3ZPeJRUWDA 4+DkCie7vdPwsTERFVQpIgpwKzrxg1yg+DdfrS+wbSTBMLxfs6JGAuXO5z0R7b7bijoE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=Nh7CvQ/uEFmVyxqhOhJ0hmQGI1bc6PW3SlFprUTwa7M=; b=K QYkfPMBRGDFPlTdeMvidFrsew1cemgggL1zOCkkgPP68JlvrEyNlBW2hZQTcKVEyZygDP6xboA6of MDTwAU5fOpWCnivoCvJ/32y3njKZbK8PVTdokEEwR1Vw/iVI4bRDEAA0g/Mszyl1oFsRgAZchkLll tKXSdcH6w+yERVQc=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pbiJ2-006WFk-Dh for openvpn-devel@lists.sourceforge.net; Mon, 13 Mar 2023 13:33:42 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pbiIm-0003n6-0A for openvpn-devel@lists.sourceforge.net; Mon, 13 Mar 2023 14:33:24 +0100 Received: (nullmailer pid 59417 invoked by uid 10006); Mon, 13 Mar 2023 13:33:23 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 13 Mar 2023 14:33:23 +0100 Message-Id: <20230313133323.59367-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The open_tun_dco_generic already allocates the actual_name string, this shadows the allocation in the FreeBSD/Linux specific methods. The HMAC leaks are just forgotten frees/deinitialisations. Change-Id: I3c344af047abe94c0178bde1781eb450f10d157d Signed-off-by: Arne Schwabe --- src/openvpn/dco_freebsd.c | 1 - src/openvpn/init.c | 2 ++ src/openvpn/ssl.c | 11 +++++++++++ src [...] Content analysis details: (1.5 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1pbiJ2-006WFk-Dh Subject: [Openvpn-devel] [PATCH] Fix memory leaks in HMAC initial packet id and dco open tun X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1760259712966660198?= X-GMAIL-MSGID: =?utf-8?q?1760259712966660198?= The open_tun_dco_generic already allocates the actual_name string, this shadows the allocation in the FreeBSD/Linux specific methods. The HMAC leaks are just forgotten frees/deinitialisations. Change-Id: I3c344af047abe94c0178bde1781eb450f10d157d Signed-off-by: Arne Schwabe --- src/openvpn/dco_freebsd.c | 1 - src/openvpn/init.c | 2 ++ src/openvpn/ssl.c | 11 +++++++++++ src/openvpn/ssl.h | 6 ++++++ 4 files changed, 19 insertions(+), 1 deletion(-) diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c index cbd2ce205..70bf9d61d 100644 --- a/src/openvpn/dco_freebsd.c +++ b/src/openvpn/dco_freebsd.c @@ -230,7 +230,6 @@ create_interface(struct tuntap *tt, const char *dev) } snprintf(tt->dco.ifname, IFNAMSIZ, "%s", ifr.ifr_data); - tt->actual_name = string_alloc(tt->dco.ifname, NULL); /* see "Interface Flags" in ifnet(9) */ int i = IFF_POINTOPOINT | IFF_MULTICAST; diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 293031de6..45b1c8b0d 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3876,6 +3876,8 @@ do_close_tls(struct context *c) md_ctx_cleanup(c->c2.pulled_options_state); md_ctx_free(c->c2.pulled_options_state); } + + tls_auth_standalone_free(c->c2.tls_auth_standalone); } /* diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index f4aca484f..04205329a 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1361,6 +1361,17 @@ tls_auth_standalone_init(struct tls_options *tls_options, return tas; } +void +tls_auth_standalone_free(struct tls_auth_standalone *tas) +{ + if (!tas) + { + return; + } + + packet_id_free(&tas->tls_wrap.opt.packet_id); +} + /* * Set local and remote option compatibility strings. * Used to verify compatibility of local and remote option diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index bdcee769b..4ed4cfaa4 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -180,6 +180,12 @@ void tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu); struct tls_auth_standalone *tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc); +/** + * Frees a standalone tls-auth verification object. + * @param tas the object to free. May be NULL. + */ +void tls_auth_standalone_free(struct tls_auth_standalone *tas); + /* * Setups the control channel frame size parameters from the data channel * parameters