From patchwork Mon Nov 17 17:28:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4611 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6d04:b0:7b1:439f:bdf with SMTP id e4csp3403015may; Mon, 17 Nov 2025 09:39:02 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVcM0PBMWe630lDgixyWNxDLXe7UpTXK6UJrmF9fNJktgSRAdEYQVNrgQa56i6rZE+SNdHB3CrLYK4=@openvpn.net X-Google-Smtp-Source: AGHT+IEgh+VML/+AhSW80gm8YZQvB8osMcVuSoG2b3nmZriOLAtEthqdfGpBeG4jzotkTdvcuF69 X-Received: by 2002:a05:6808:159b:b0:44f:f73c:9412 with SMTP id 5614622812f47-450976112cfmr6061017b6e.63.1763401142304; Mon, 17 Nov 2025 09:39:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1763401142; cv=none; d=google.com; s=arc-20240605; b=H8n9aEVY/r8FSVmo0iLMQkwKufT4mmYaMi7i+Lz15ordcSuRnxf75tYILyGwr44ucR esw1xQvE1Cz5ZtoS5GMeJkNOK5saXfW9F+TT3UHDnIZ/iWWcJXtRWk/rQQbU0Qdl8AGJ m4VVv25MyG9wEtM5p9hLo6Fy625reVtrxXWvA6++CIB363NwZ4FEm0Su6FuFJaSUR3p4 2zMJv0LNJVw0MRk7aF5ZyVxI5FE9baKzQkfB+dBbw5U1Myf0a2qbuzwsE//5RBrvjwzc p+kjj9+UF4dYKAs/77kpDanBftAWXksmkbjd54nlATnQDGzeXYdFb63QxZZfj+Dbl2/R 6HFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=Vr8g0An2+CbxdGsVtuRlOiPWIRym49JuJ7O/42tpoyg=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=g0GXk9ugOAkEXqjDJPBgcKFCRmxl9ckVIxTyPW7ZHerm/7VELXt01I0orhqTu4HCFy qhrqkn0z9+d1QNOz9I3x4cuxat6wtBXHR6fkLNUmXa88IYTLqHCA5K+Q/lESfCu0I3MF 9lC1h7QQwNsnRn5arO4cipnha7pCzJXr4I6deywidC+SSBKptZb81rXh8HznVRfN8vbR gTnfCsLWCjZuY3lGma4FOuKNh+tk5JAznSFXldt5Na+WwHSKOABp33dybHEBACqLkuFp +Qocpuxe5VipN1dxDLPQ5Bv/IbkhhBKdVYJwR/gGyiJtY4XkbukTy3JoR8AHaXdusK4c gCsg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=j2Iimmgd; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=GR2f+5MV; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="SRHg+V/s"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-4508a79434asi3705584b6e.314.2025.11.17.09.39.01 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Nov 2025 09:39:01 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=j2Iimmgd; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=GR2f+5MV; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="SRHg+V/s"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=Vr8g0An2+CbxdGsVtuRlOiPWIRym49JuJ7O/42tpoyg=; b=j2Iimmgd2XLPrYcytppNflqTLG GMSuxCGNHNBE+wE+D93Me5jfqymtNRGYLzL7+1a5Zr6JlhYDCjnLKkTHViyTCB2a/2UiYdxSYOFCo qQgGvCcw7UrhaaXg8JO+Hc9T19H5fmGBh17aP61f94wL9pZLuABRP3LuC0qXSXwnn3xQ=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vL3Bm-0005Li-Sc; Mon, 17 Nov 2025 17:38:55 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vL3Bl-0005LS-7X for openvpn-devel@lists.sourceforge.net; Mon, 17 Nov 2025 17:38:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=tPsn8IcsAhah25vhbiHrkKKWsrs9BMJcylJRjvD5W+s=; b=GR2f+5MVLK9XHhsEtxlid9cWYl U022l6bZAi04P7siJnkI4HHn4Lmz13kcqRv1nlNwa5YDGmJT8APUzngZXOV7RgSxMvpQWVtDuWeqW kGe3ekFBhZ5Ldl/XoUOHkwHkNaMNjmRUJqMaHWpSEwRb9rhk9HovhIdDTZ8nootVBAug=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=tPsn8IcsAhah25vhbiHrkKKWsrs9BMJcylJRjvD5W+s=; b=SRHg+V/s22+vAJSR1lAOgiBOSn I3Vjk4g4MtSybIP2XI0uvq1DHcHp/f49eDKgTHTAXLjTc6KdusQbsmndZrBKUadbPMiTrU/dRDbRP RByCVRaGfMwVqbKNNGVYEdQy5GKvfnoohU48ACSRTWov1Mf/cRM8eSUB73JAhQk91zf0=; Received: from chekov.greenie.muc.de ([193.149.48.178]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vL3Bk-0007y5-RZ for openvpn-devel@lists.sourceforge.net; Mon, 17 Nov 2025 17:38:53 +0000 Received: from chekov.greenie.muc.de (localhost [IPv6:0:0:0:0:0:0:0:1]) by chekov.greenie.muc.de (8.18.1/8.18.1) with ESMTPS id 5AHHck5Z010429 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Mon, 17 Nov 2025 18:38:46 +0100 (CET) (envelope-from gert@chekov.greenie.muc.de) Received: (from gert@localhost) by chekov.greenie.muc.de (8.18.1/8.18.1/Submit) id 5AHHcksg010428 for openvpn-devel@lists.sourceforge.net; Mon, 17 Nov 2025 18:38:46 +0100 (CET) (envelope-from gert) From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 17 Nov 2025 18:28:58 +0100 Message-ID: <20251117173843.10091-2-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: <20251117173843.10091-1-gert@greenie.muc.de> References: <20251117173843.10091-1-gert@greenie.muc.de> MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Mikhail Khachaiants Add a family check to prevent copying address data of the wrong type, which could cause buffer over-read when parsing routes or endpoints. CVE: 2025-12106 Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- X-Headers-End: 1vL3Bk-0007y5-RZ Subject: [Openvpn-devel] [PATCH 1/2] socket: reject mismatched address family in get_addr_generic X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1849060115752938327?= X-GMAIL-MSGID: =?utf-8?q?1849060115752938327?= From: Mikhail Khachaiants Add a family check to prevent copying address data of the wrong type, which could cause buffer over-read when parsing routes or endpoints. CVE: 2025-12106 Github: OpenVPN/openvpn-private-issues#77 Signed-off-by: Mikhail Khachaiants Acked-By: Gert Doering Signed-Off-By: Gert Doering --- src/openvpn/socket.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index f7317d13..8b6e35e4 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -147,6 +147,13 @@ get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname, void struct in6_addr *ip6; in_addr_t *ip4; + if (af != ai->ai_family) + { + msg(msglevel, "Can't parse %s as IPv%d address", var_host, (af == AF_INET) ? 4 : 6); + ret = -1; + goto out; + } + switch (af) { case AF_INET: