From patchwork Tue Mar 26 10:41:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3673 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:c315:b0:55c:c090:46f0 with SMTP id jk21csp2929265mab; Tue, 26 Mar 2024 03:41:34 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCW5lgfQMFf0P2xd2Cs+d3q8mKXWII7hKa1o0xRdmCcsUZwtBiPGkG2ajhK3lV+zIcKiQHpfOBmgZPczWBauabGpsIttZAQ= X-Google-Smtp-Source: AGHT+IHWJjEyydrUZZGe3h/NfcPD0QXFT1mcCPLGDGsKwS73kRRkVhlbIA3mtA/sy3wcaJU3AZWr X-Received: by 2002:a05:6808:2016:b0:3c3:ce25:ac93 with SMTP id q22-20020a056808201600b003c3ce25ac93mr6346262oiw.2.1711449694545; Tue, 26 Mar 2024 03:41:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711449694; cv=none; d=google.com; s=arc-20160816; b=TeFAF7pmeJpAIlRxwI48F0mb+3eX/dXrwUk3Zy7rhrFmVbzUfAFRDrfaHk0MEqUBa6 cej4TYy/a6Yi+zrNVRpKWLye7wVPmslZ0c3HsaCfGOuBdklT79tK218UpFfzj9ABmV80 kEMyFtRnRe+FcFztqFZoemzp/Z1hPx5qH+dxvSlBQB0JeaxUEioikeuoC7xnzgaLd6Gy OXJ9SpOxj2NK0AkpPV6mKzZOagKUeZCNKnAU+j81ldxYBV8q9zNtVy4zRWSLXhG7SecZ Yr9n1SZIMH5gjoCZPqgTRJO5nGxW5l2q3e8aCSCCetrW4sbKK/TT3LU82nLRj9iNF9hn sVfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=K9HPur+n0cWLtzUVcmwLIxDP/U1I6kXBsF6DyQBDr+4=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=KetM275uc1pVljGi0jG59bKwOk5WGenk1lvx8yyk+HxmXvSkjqMTrpSJyErhzuRtMn 6ijgWTEoK9vaYWRikNRSh6VaLuIjsFPH9VCyGB7iHFDbrxJiDabZsYQdMiGl4UE0caq/ QBL4LNn/eDLdvrGEQyqqvuxQVCDmhQkyD3RP+yk1JEsANg9zTSo5dVZ8oPuTQWG/KZqz STTBqWVTFKX30fRp3/BkAsTjjSIz3WiH3YoRBcFSiUJnuke1D+MRcgIgv6IcBlcCWPGr HBb0TSqENGO/bGFoDhCZgBSnV2fgTu7kDgGkvEp4UuKJ3+oYXsOml2SS7pmgJyk/H8o2 W37w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=kKXqKRN7; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=KE61klJp; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=d2KrbNHX; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id t32-20020a634620000000b005dcd64e8467si9719483pga.59.2024.03.26.03.41.34 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Mar 2024 03:41:34 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=kKXqKRN7; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=KE61klJp; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=d2KrbNHX; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rp4F0-0002oO-0G; Tue, 26 Mar 2024 10:41:14 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rp4Ez-0002oH-41 for openvpn-devel@lists.sourceforge.net; Tue, 26 Mar 2024 10:41:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=k+DircoxPwRRFWK8KbTqKXTd5EZGrnu0wRvVrgozxag=; b=kKXqKRN7SC/osiE5x9IVG4ZaFT K701D3TBQcVbBUg+xKbLbTHOIZcmzjgH/AfvzPMXL2VW7WJ9uwC/WZb2JrWu+CR/2KIOljeA12gOf SDGySavkQjGJBHtdWLRaQVeRZJlCK7ooIC7maRc1M8lTERa7t20lzghIn7BRrUzvMrFU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=k+DircoxPwRRFWK8KbTqKXTd5EZGrnu0wRvVrgozxag=; b=KE61klJpMWHj3Fre4yCbNjhrv7 G2SAEbXQQAs7CbWOsUvr2GdTfNNxMX8fLjQGTszLt3+I+3l9NvPjtP7DS+wBDhHmy0utjvDNRlvjh 6HX3JpIqP5mfgocTamQj9pxUrvjx5JWhdFDjlZclk6O8k5avedYbmbLmlPQ/kbMnYJ9A=; Received: from mout-p-202.mailbox.org ([80.241.56.172]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1rp4Ew-0008MQ-Po for openvpn-devel@lists.sourceforge.net; Tue, 26 Mar 2024 10:41:12 +0000 Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4V3mYV4vnhz9spY; Tue, 26 Mar 2024 11:41:02 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1711449662; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=k+DircoxPwRRFWK8KbTqKXTd5EZGrnu0wRvVrgozxag=; b=d2KrbNHX2/Km6K/N7RoGlFNZZmoAUCM24neqTeoZPMZyEMi3bWxsvJm5wyZyqg5hN79FpA Dwdl42mqx+fk49oUTT39ozo6Sxnu+0aVknE07VM28mTB5brXyfnGaqHLEezBP37LubKuZe Lrsp8CVdHPhxWjJlYLi+KI1i4dio+OweyBHwO95qqd1qaLycUekdmRwsugJHFXAgI/Kxdz E2TLsWjp34YF4vcozDUpTiGx3yCKaPSncfO1GhjZ0hXuHuK6nU5YbeG3CFRKTcn9lckSEl YCIpDy1PV1dNJ014tbi+zQSeLNLS3vwSv1Yq+tVR2GCym7APTih0AabUAUfV1w== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Tue, 26 Mar 2024 11:41:01 +0100 Message-Id: <20240326104101.531291-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe When openvpn_snprintf is replaced by snprintf the GCC/MSVC compiler will perform additional checks that the result is not truncated. This warning can be avoid by either explicitly checking the return value of snprintf (proxy) or ensuring that it is never truncated(tls crypt) Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.172 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1rp4Ew-0008MQ-Po Subject: [Openvpn-devel] [PATCH v1] Fix snprintf/swnprintf related compiler warnings X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1794585074662473133?= X-GMAIL-MSGID: =?utf-8?q?1794585074662473133?= From: Arne Schwabe When openvpn_snprintf is replaced by snprintf the GCC/MSVC compiler will perform additional checks that the result is not truncated. This warning can be avoid by either explicitly checking the return value of snprintf (proxy) or ensuring that it is never truncated(tls crypt) Change-Id: If23988a05dd53a519c5e57f2aa3b2d10bd29df1d Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/549 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld Note: Missing word in commit message added for submission. diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index c904301..5c1cdcb 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -948,17 +948,21 @@ } /* send digest response */ - openvpn_snprintf(buf, sizeof(buf), "Proxy-Authorization: Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", qop=%s, nc=%s, cnonce=\"%s\", response=\"%s\"%s", - username, - realm, - nonce, - uri, - qop, - nonce_count, - cnonce, - response, - opaque_kv - ); + int sret = openvpn_snprintf(buf, sizeof(buf), "Proxy-Authorization: Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", qop=%s, nc=%s, cnonce=\"%s\", response=\"%s\"%s", + username, + realm, + nonce, + uri, + qop, + nonce_count, + cnonce, + response, + opaque_kv + ); + if (sret >= sizeof(buf)) + { + goto error; + } msg(D_PROXY, "Send to HTTP proxy: '%s'", buf); if (!send_line_crlf(sd, buf)) { diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c index d842666..b046910 100644 --- a/src/openvpn/socks.c +++ b/src/openvpn/socks.c @@ -109,8 +109,11 @@ "Authentication not possible."); goto cleanup; } - openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", (int) strlen(creds.username), - creds.username, (int) strlen(creds.password), creds.password); + int sret = openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", + (int) strlen(creds.username), creds.username, + (int) strlen(creds.password), creds.password); + ASSERT(sret <= sizeof(to_send)); + size = send(sd, to_send, strlen(to_send), MSG_NOSIGNAL); if (size != strlen(to_send)) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 4383e98..6f29c3d 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -2069,7 +2069,7 @@ #endif #ifndef OPENSSL_NO_EC - char groupname[256]; + char groupname[64]; if (is_ec) { size_t len; @@ -2130,7 +2130,7 @@ print_cert_details(X509 *cert, char *buf, size_t buflen) { EVP_PKEY *pkey = X509_get_pubkey(cert); - char pkeybuf[128] = { 0 }; + char pkeybuf[64] = { 0 }; print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf)); char sig[128] = { 0 }; diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 975d31f..6ef1c7d 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -575,7 +575,7 @@ char metadata_type_str[4] = { 0 }; /* Max value: 255 */ openvpn_snprintf(metadata_type_str, sizeof(metadata_type_str), - "%i", metadata_type); + "%i", (uint8_t) metadata_type); struct env_set *es = env_set_create(NULL); setenv_str(es, "script_type", "tls-crypt-v2-verify"); setenv_str(es, "metadata_type", metadata_type_str); diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 452633c..d32223c 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -33,6 +33,7 @@ #include #include #include +#include #include @@ -2002,7 +2003,7 @@ ReturnLastError(pipe, L"malloc"); goto out; } - openvpn_swprintf(cmdline, cmdline_size, L"openvpn %ls --msg-channel %lu", + openvpn_swprintf(cmdline, cmdline_size, L"openvpn %ls --msg-channel %" PRIuPTR, sud.options, svc_pipe); if (!CreateEnvironmentBlock(&user_env, imp_token, FALSE))