diff mbox series

[Openvpn-devel,v1] interactive.c: add the upper bound for startupdata size

Message ID 20251030150432.4689-1-gert@greenie.muc.de
State New
Headers show
Series [Openvpn-devel,v1] interactive.c: add the upper bound for startupdata size | expand

Commit Message

Gert Doering Oct. 30, 2025, 3:04 p.m. UTC 
From: Lev Stipakov <lev@openvpn.net>

The size is passed from the limited-privileges process.
This check ensures that the service won't allocate
more than needed.

Reported-by: Joshua Rogers <contact@joshua.hu>
Found-by: ZeroPath (https://zeropath.com/)

Change-Id: I75ebf01641db4dcd07041e3b8b3fa8a632d07595
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1331
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1331
This mail reflects revision 1 of this Change.

Acked-by according to Gerrit (reflected above):
Gert Doering <gert@greenie.muc.de>

Comments

Gert Doering Oct. 30, 2025, 4:17 p.m. UTC | #1 
Looks good, reasonable hardening against unasked-for garbage coming in
via the service pipe.  Have not tested this, but since you have so nicely
made event logging beautiful again, evidence should be clearly visible.

Your patch has been applied to the master branch.

commit 37af2c953266a3ffd34b3fa95317bd995e985aec
Author: Lev Stipakov
Date:   Thu Oct 30 16:04:26 2025 +0100

     interactive.c: add the upper bound for startupdata size

     Signed-off-by: Lev Stipakov <lev@openvpn.net>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1331
     Message-Id: <20251030150432.4689-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34039.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index ce0d4dd..cb31267 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -446,9 +446,9 @@ 
     }
 
     size = bytes / sizeof(*data);
-    if (size == 0)
+    if ((size == 0) || (size > 4096)) /* our startup data is 1024 wchars at the moment */
     {
-        MsgToEventLog(M_SYSERR, L"malformed startup data: 1 byte received");
+        MsgToEventLog(M_SYSERR, L"malformed startup data: %lu bytes received", size);
         ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event);
         goto err;
     }