From patchwork Thu Jul 11 11:30:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3765 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6442:b0:59e:d24b:d55c with SMTP id n2csp5251mag; Thu, 11 Jul 2024 04:31:22 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWVhQhN430K6VDR+78nAVc/gQCzXTK1tPg//P6JiK1ZB0fvu3fS2Tp6P90UCdsH8Hbn9za9Nnzi8rxjrIZWQOnaSnkLmCE= X-Google-Smtp-Source: AGHT+IG+G45/kQzFHfFnc1gUfAf3CMkAxq89CHFUSfh18sOqTtcblWcbUPxtgZSNGpUnH9/AT5/V X-Received: by 2002:a17:903:124d:b0:1fb:12b4:79ef with SMTP id d9443c01a7336-1fbb6c49a71mr87829715ad.0.1720697481900; Thu, 11 Jul 2024 04:31:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1720697481; cv=none; d=google.com; s=arc-20160816; b=BjDK4wR57AXzA4KgeBR1DHyjMC5k244WbDJo04WPthr8xbOV5SWrvKJmxSOFzEga/u BXMnBzP0ZUTmJdSdGJ1uV2XbvfTOMSMvBaueV5PlFDRz89Vky98k/6mvahdSMfGoowWz Nlj1PQ94uASlxzlXRSWtGWFwOTRn1Z7jy+SUN+b4RwbyhDHWLO1/6/AIBbBjXBGI1qE4 ylXCakqgh/JSUNX8BHcIwkK0pHp5ajRBwrpKoqOAuNXQmZZrvXidXUugZi/TQHfHdrGU HXp5j5PiKLBmqIDRNu0d9eYngPNyZYcO229dFw7WAGIXMJo9SfxxMdJxHg5qs3mGHo+V L60A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=f7fb/yjZm0AXon0hw3lN85veSCqv+46CBck7gsdf8OI=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=QBeWG7tsRNlNF44m+OnDFownrlSkss/Koi+S979jSqNrzISGNDlY4p7NApP2Y7onbJ PkrAvq4bXuOzbMkWo4bi1Doj3IYcISNA9xBbzExDRO2tB/B4dYWbYcgMhUz09v1F4qt2 t9P7kXTl2TFd6Hporw9QkazLGjZwabbUiP8JSUVW0nFPnfWzW3638xqkwhDzdh3Ez45K kXnzeVDGHWIxk7MwdV+g7FMd/5jusWfzWY67EL6dMabwCOK2KQhXv+kagJJHhiUuCil3 wFGBDJFiL61njs9KdsyzsopyJuiuXs0avvFON5ep7jA7CEj5jljG1k+L0ZlIwibkenhG hLEQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=YW4xAxWG; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Xour7XMT; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=k5f5emym; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d9443c01a7336-1fbb6a0dd37si59145305ad.36.2024.07.11.04.30.57 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Jul 2024 04:31:21 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=YW4xAxWG; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Xour7XMT; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=k5f5emym; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1sRs0U-0001kh-HT; Thu, 11 Jul 2024 11:30:37 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1sRs0S-0001ka-11 for openvpn-devel@lists.sourceforge.net; Thu, 11 Jul 2024 11:30:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=tpo/ROWhc48BOso48eyYj2OpkukwH1TsHVCnHDxmkZ0=; b=YW4xAxWGyO4fGx3ycBtakx4tZB jSxC8SYCWVR2kgNheoTm1ZSXyHHmB3oGLBbkANzJ2hGIyr1vP965CILxb1WILHjnSqCLAiHTFo0oJ B6VMkqk8+ovGZqFdbgjTpWIhVbj9cN9AQ/tNs48RLH820RIu9zDXb3yq0wq6FZesX1VI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=tpo/ROWhc48BOso48eyYj2OpkukwH1TsHVCnHDxmkZ0=; b=Xour7XMTqQReys7VLVuYk6Rwra bFUCbGj75Ll1K2QcbBNUyMDYIIlcXH7y1YBccbdt0VQe3rEWb1k8xXZpinxpUqfXi4j6aeg0oOSYQ vUrQQ8tcEN5uqLS8QZVet/RT8LjjEmhUNen8tahnjJ1EUKdfOSlAuum3FMlUFZUvP1c4=; Received: from mout-p-101.mailbox.org ([80.241.56.151]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1sRs0R-0002AI-6H for openvpn-devel@lists.sourceforge.net; Thu, 11 Jul 2024 11:30:35 +0000 Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4WKXb42Jgtz9sQr; Thu, 11 Jul 2024 13:30:24 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1720697424; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tpo/ROWhc48BOso48eyYj2OpkukwH1TsHVCnHDxmkZ0=; b=k5f5emymQJTIS2fLqgtvnMmSo5hSffvH7doRkWEkuDq0DdkCgx/WKOWy1wb+9z7URYT005 tUJw5g645a0xdG+XGucHuuvEBur0pU7zsF9IWvgNDKFDBO0NKC6PUV7ONXVxNfaTAypMZz jU3SUpG07UcgH2M2aoEEl1h/FinyeGrkgxhEj9SsNXpPXlqTFp95EdAHqLFRthaSVmplkc 2WILxNOY6whVJfAFWvWUULOjt6i5jdfPYtftqI6NLwv+Z/j+w9uLwIVuoqG71O8h/GrH7U Y1QgKQMlLE93vcYd8/0eah3fkOKy8fIoPAwrLiCaGt46Cx7xWUb7ZPzsRG28xA== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Thu, 11 Jul 2024 13:30:22 +0200 Message-Id: <20240711113022.52076-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -5.2 (-----) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe Writing a reason from a script will easily end up adding extra \r\n characters at the end of the reason. Our current code pushes this to the peer. So be more liberal in accepting these message. Content analysis details: (-5.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: lichtenheld.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [80.241.56.151 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [80.241.56.151 listed in sa-trusted.bondedsender.org] -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high trust [80.241.56.151 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1sRs0R-0002AI-6H Subject: [Openvpn-devel] [PATCH release/2.5] Allow trailing \r and \n in control channel message X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1804201279825101054?= X-GMAIL-MSGID: =?utf-8?q?1804282083035206113?= From: Arne Schwabe Writing a reason from a script will easily end up adding extra \r\n characters at the end of the reason. Our current code pushes this to the peer. So be more liberal in accepting these message. Closes openvpn/openvpn#568 This is the backport of the fix to release/2.5. Change-Id: I47c992b6b73b1475cbff8a28f720cf50dc1fbe3e Signed-off-by: Arne Schwabe Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- src/openvpn/forward.c | 73 +++++++++++++++++++++++++------------------ 1 file changed, 43 insertions(+), 30 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 404b71c8..e8b981b3 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -221,6 +221,46 @@ parse_incoming_control_channel_command(struct context *c, struct buffer *buf) } } +static struct buffer +extract_command_buffer(struct buffer *buf, struct gc_arena *gc) +{ + /* commands on the control channel are seperated by 0x00 bytes. + * cmdlen does not include the 0 byte of the string */ + int cmdlen = (int)strnlen(BSTR(buf), BLEN(buf)); + + if (cmdlen >= BLEN(buf)) + { + buf_advance(buf, cmdlen); + /* Return empty buffer */ + struct buffer empty = { 0 }; + return empty; + } + + /* include the NUL byte and ensure NUL termination */ + cmdlen += 1; + + /* Construct a buffer that only holds the current command and + * its closing NUL byte */ + struct buffer cmdbuf = alloc_buf_gc(cmdlen, gc); + buf_write(&cmdbuf, BPTR(buf), cmdlen); + + /* Remove \r and \n at the end of the buffer to avoid + * problems with scripts and other that add extra \r and \n */ + buf_chomp(&cmdbuf); + + /* check we have only printable characters or null byte in the + * command string and no newlines */ + if (!string_check_buf(&cmdbuf, CC_PRINT | CC_NULL, CC_CRLF)) + { + msg(D_PUSH_ERRORS, "WARNING: Received control with invalid characters: %s", + format_hex(BPTR(&cmdbuf), BLEN(&cmdbuf), 256, gc)); + cmdbuf.len = 0; + } + + buf_advance(buf, cmdlen); + return cmdbuf; +} + /* * Handle incoming configuration * messages on the control channel. @@ -236,41 +276,14 @@ check_incoming_control_channel(struct context *c) struct buffer buf = alloc_buf_gc(len, &gc); if (tls_rec_payload(c->c2.tls_multi, &buf)) { - while (BLEN(&buf) > 1) { - /* commands on the control channel are seperated by 0x00 bytes. - * cmdlen does not include the 0 byte of the string */ - int cmdlen = (int)strnlen(BSTR(&buf), BLEN(&buf)); - - if (cmdlen < BLEN(&buf)) - { - /* include the NUL byte and ensure NUL termination */ - int cmdlen = (int)strlen(BSTR(&buf)) + 1; - - /* Construct a buffer that only holds the current command and - * its closing NUL byte */ - struct buffer cmdbuf = alloc_buf_gc(cmdlen, &gc); - buf_write(&cmdbuf, BPTR(&buf), cmdlen); + struct buffer cmdbuf = extract_command_buffer(&buf, &gc); - /* check we have only printable characters or null byte in the - * command string and no newlines */ - if (!string_check_buf(&buf, CC_PRINT | CC_NULL, CC_CRLF)) - { - msg(D_PUSH_ERRORS, "WARNING: Received control with invalid characters: %s", - format_hex(BPTR(&buf), BLEN(&buf), 256, &gc)); - } - else - { - parse_incoming_control_channel_command(c, &cmdbuf); - } - } - else + if (cmdbuf.len > 0) { - msg(D_PUSH_ERRORS, "WARNING: Ignoring control channel " - "message command without NUL termination"); + parse_incoming_control_channel_command(c, &cmdbuf); } - buf_advance(&buf, cmdlen); } } else