From patchwork Wed Nov 12 14:13:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4590 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6d04:b0:7b1:439f:bdf with SMTP id e4csp142209may; Wed, 12 Nov 2025 06:13:54 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCV6ZpDcxpO26VWeJ3TJW+65PnBhkgIwUDllNAZqgfryr9i+WpzPkkjk4+1WZd1xvCS66URBlYEn2GE=@openvpn.net X-Google-Smtp-Source: AGHT+IHmpyRs59xfHNWKq38070jPLdqOzmXVnXNaw2zRbEzmyqd4aVq5Gg1cwHj15QVRlgkCZBQw X-Received: by 2002:a05:6808:3c4e:b0:44f:e99d:8d46 with SMTP id 5614622812f47-45074611b33mr1282650b6e.32.1762956833750; Wed, 12 Nov 2025 06:13:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1762956833; cv=none; d=google.com; s=arc-20240605; b=gC9GYy5robul9TgkNGi5rXjfs5ISp9tkNyyFXMisBzPfhr7yT81fGBzCdufvFjzpWN z7ftYdnUnrC9KwOb5PMa/3F97mGDCfL3V+tPShk+aNgOnEECM5YXYU9q3KxVpa/tIR7Q dtL8NLkTR/z9Zf0bjcIPlnZDSYl6jTuZ+s82tB/Cv+978iyJTiG4FP/Kz1twjkWruuHT QTZZR/Ufd1mrD6PAXPNY0n47JJVkDoFbNOJ4SUnmlyLu2LitMnXDdCezKfCyeS+llra0 TdNhWRVDLhOX6NcQMsWRjizKPupO/Mx0HoFFQrIdvoho0B6T/whIc03z2mLGVcYyxZJl v7yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=tBp+rjqXC/XB9cmxlo5Gy7sFh4Nw81vwFoaRhFxAfxo=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=Dd7N/vpSOmeTEWEO4id4E/M+wVLSy34OYiS3dL7Lq5Vm8Dq00NrUZWL7KsyQhRFASq pmUCy6aNNHZf4dTGLWbqLLQtafCxod/cfPTzK3nZEh/opPHP/uUHuUOFc0gi343gwEmF DRIt70buqfGK0pyTJf2oyoAft7behWrOGklc32d7adklZmv/NgJO34cibA1ZrHhloVpc kwidft8qLzTtLR5rZF4807RzLiammiihRzyvKhQvuE13xxjehLlsbzrSK+cUbaHuvvc7 +J5yxgMWts7aeYDIhPAxZ9q6m717nXOg7tzXvSFej7+4QcmGe7OG2mQH+sEttpCd+wx/ 0MLw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=kjqbiL1v; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=cH4EeSko; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=l5xmxZbS; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-4500296ad89si6208602b6e.216.2025.11.12.06.13.53 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Nov 2025 06:13:53 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=kjqbiL1v; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=cH4EeSko; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=l5xmxZbS; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=tBp+rjqXC/XB9cmxlo5Gy7sFh4Nw81vwFoaRhFxAfxo=; b=kjqbiL1v37ss1wt1jI26nai97w 3vih19d4Ot2UxoHKew7XRAxOLm6eNKg+ELRCmiOVjx93zCeqA8aHqQVrCu0WlNiN23SQNGFHvvVMW uj9w+oKYOYZqbHerBNX1U1TV4NaF57apl5HaFJoWwpdUMHWgWvA1ihR/EoX2zW8PL4Bg=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vJBbZ-0002cW-Iz; Wed, 12 Nov 2025 14:13:50 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vJBbS-0002bt-QX for openvpn-devel@lists.sourceforge.net; Wed, 12 Nov 2025 14:13:43 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=18VKsfnzb0X9a3Fa8LMfVp6NlR38Db76M6r31dHdpco=; b=cH4EeSkowaK+WiGA49ZQGEKF4r 1UZDFevKBw4U6wvm2UIai6iUJybcDXIw5lD8dxm/wIUL8NugEIT2xNtiqUeQsdXED27TZHslNh3AZ +xchw8he8/3lUr77WA2jEJ2dKz6E6cRMCv1QSOpqIKzTZPZbzSwWPKnf9mfZHlzB3nuM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=18VKsfnzb0X9a3Fa8LMfVp6NlR38Db76M6r31dHdpco=; b=l5xmxZbSaHawz3tKs1SCfQYTaM G4o+OZljwePVfKNdTXxknvq/zmwejBh0BOU1L4IMZZs3P/Uoi/Vcv89TlF/hM22fwRu3hluSvM9ku O26PFE0rvMD3XtQ+McNeqr2QLUQW+5xKGsoOy/FpWC5n87GTWwQA3pZ+ZbJ5xut0FfrM=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vJBbS-0001CX-Jp for openvpn-devel@lists.sourceforge.net; Wed, 12 Nov 2025 14:13:43 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5ACEDZQA017432 for ; Wed, 12 Nov 2025 15:13:35 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5ACEDZnm017431 for openvpn-devel@lists.sourceforge.net; Wed, 12 Nov 2025 15:13:35 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 Nov 2025 15:13:28 +0100 Message-ID: <20251112141335.17417-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe In tls_pre_decrypt we construct a pointer ks with an invalid i if i is TM_SIZE doing a out-of-bounds access in multi->session. This is a something that exists at least since 2.3.0 (I didn't go further back but probalby exists in earlier version as well as the commits date back to SVN beta21 branch). Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vJBbS-0001CX-Jp Subject: [Openvpn-devel] [PATCH v1] Fix construction of invalid pointer in tls_pre_decrypt X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1848594224626169895?= X-GMAIL-MSGID: =?utf-8?q?1848594224626169895?= From: Arne Schwabe In tls_pre_decrypt we construct a pointer ks with an invalid i if i is TM_SIZE doing a out-of-bounds access in multi->session. This is a something that exists at least since 2.3.0 (I didn't go further back but probalby exists in earlier version as well as the commits date back to SVN beta21 branch). So we construct the pointer but do not do anything with it if it is inval id as we check i *after* we construct the pointer `ks`. I suspect that the compiler optimises the bug away in any higher optimisation level. Assuming there is no optimisation, let's check what is possible. Since we never use the value `ks` if it is invalid, we do not have worry if it ends up invalid or not. The only thing that we have to worry about is whether `session + offsetof(struct tls_session, key[KS_PRIMARY])` is pointing to memory that is valid to read to construct the `ks` pointer. This is outside the tls_multi struct, so this is not guaranteed to be allocated memory but at the same time it is also only few bytes (or few tens/houndred) after the struct, so it will with an extremely high probably be in a memory region that will not cause a segfault. Every time this condition is hit and we construct the invalid pointer, the log message "TLS Error: Unroutable control packet received" is printed at `verb 1` or higher. And this is a quite common log message, which serves as indication as well that a crash is not something that typically happens but either the optimisation fixes or the memory region of the invalid access is valid to read from. Change-Id: Ided1ac7c804487055b175d8766535bead257b7d5 Signed-off-by: Arne Schwabe Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1373 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1373 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 398c9ae..e21ac78 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3729,9 +3729,6 @@ } else { - struct tls_session *session = &multi->session[i]; - struct key_state *ks = &session->key[KS_PRIMARY]; - /* * Packet must belong to an existing session. */ @@ -3742,6 +3739,8 @@ goto error; } + struct tls_session *session = &multi->session[i]; + struct key_state *ks = &session->key[KS_PRIMARY]; /* * Verify remote IP address */