From patchwork Fri Jun 5 14:18:02 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4996 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:bc1d:b0:861:c897:cb9d with SMTP id jc29csp268230mab; Fri, 5 Jun 2026 07:18:29 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ+qtuWWpo8RTAnTDI5gxmIlKJ4/RuHsURfhuSGH9v0u+8h26P7vJVUJC1flkHxofbe1D0akRFcbju4=@openvpn.net X-Received: by 2002:a05:6830:25c2:b0:7dc:e78b:158 with SMTP id 46e09a7af769-7e70f277318mr1295545a34.4.1780669108865; Fri, 05 Jun 2026 07:18:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780669108; cv=none; d=google.com; s=arc-20240605; b=KKlsrS5+BvOOlySdFw6fZFfdlrLLnikuffepDqjTGw1ByJqt0LtMMr1C0+/1F085i2 J1rlP07/7giLvmwcHcWn88blalgq7P6rfCU10FeXJ2zTSvnsmI6NCoFysPbV30Noh4+S HTEfogYaMGhmnite3XbgSvpGXEEZ6JGbxYEFBlCb51I5+yuQempAMjjHN3qvkz0la4Jn CPX2zw1IsZ1SQjfVpYobwxwy+yQj/DujwyMjDwoRdOo6ccxfsrmP8HalZVpVKStYaYIp igSghrjV+HJzQ2uLn11a3DmA5MaWiyZHole3cTqwmipDSqu4PqSPirPPv/OckxEbwAeb k4Xg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=16knpds4MGCTwhMx1f2RqySlqOQl1UTisckKjHqZZUI=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=jLvoC5h3YZEmiZOYj70ns9FvLXpeQNdlLqWHginawu6jOZw7xpceC/YRKYF6Tb/u99 AT8RWb+HsTpQ2Z5aZp53L89h4Hn07sgktMZYHpTyE1/dAq5hETwVk8rPIf+HuavRJPwb 0EBmwb6uW2DQ6AdmyjV+/2aOxgHR5o7nzPyhEanbIVyfCq2J4PcYK0/vUheXrlYaAXCB WskAo8bbEOzdctWNENvtEvIb0ixL4EStS2zDTrWHV2+nPRKUkkK+G8dhKNnu6W/kN9f9 KBWAKomAiLSWBlDxv6dF+W6cZ+G0ef0PQ6nVDcjTomMrzoAzmWzUXi/d/4f2UK+ARkaX Pb5w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=LXl5Lm0q; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=lidgmc7G; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=BLPb1JCo; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7e6e73f5db6si6332773a34.4.2026.06.05.07.18.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Jun 2026 07:18:28 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=LXl5Lm0q; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=lidgmc7G; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=BLPb1JCo; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=16knpds4MGCTwhMx1f2RqySlqOQl1UTisckKjHqZZUI=; b=LXl5Lm0q2xa4wEiIYK0TXa0WOu 84O31Tu8YsgCBt+rXuYkSE4VE8oY5HSRxge1tAOiZk4A5LZ/tGnCRsHhN9rp6DrKwdoiSohRANjL4 WmfQB9uNmB1jtkdnk5y5oXK3xunX4BUj7swda8WPeCBg0JIMvL+i+Ag0cK0+Xujd/KsA=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wVVNP-0005n1-T7; Fri, 05 Jun 2026 14:18:24 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wVVNO-0005mo-5C for openvpn-devel@lists.sourceforge.net; Fri, 05 Jun 2026 14:18:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=XI4PHv7MetiGMV0f25OnpgurTjdzLFks8VMM0s1NjVo=; b=lidgmc7Gw/JZgrndQ5BTiMSwTY v3KKeabWKmPe+zEi79B14FoZKlxL91ZlEsQX4LqhiYudgmdzFYV2gQXb5oXNb7Yq2jsC4+T59h9As p1ZNY3dgcizYs3USS9X9xvvyvxSi/1RJ3njS1RUYRa3VgJJKtgMQdIXC1yzByfyIowx8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=XI4PHv7MetiGMV0f25OnpgurTjdzLFks8VMM0s1NjVo=; b=BLPb1JCoMrdgf9ct4S3wHAmSuU wO45UqCmNpfUsbJMRYJo0RPRFCNCkCaEyIkZcKPhNVFSLy64V0yXEcM0hNHMviKUbI37JP9hoFAN5 cW4jCYtwf1CuSzudWaGujPKRgrPdz8os5R/qI2fjL1+PB3fS3bxkRXHSOtBG8DnFLrSs=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wVVNM-0007tp-EB for openvpn-devel@lists.sourceforge.net; Fri, 05 Jun 2026 14:18:22 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 655EI8p5014048 for ; Fri, 5 Jun 2026 16:18:08 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.2/8.18.1/Submit) id 655EI8r8014047 for openvpn-devel@lists.sourceforge.net; Fri, 5 Jun 2026 16:18:08 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Fri, 5 Jun 2026 16:18:02 +0200 Message-ID: <20260605141808.14028-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov read_sockaddr_from_packet() inspected sa->sa_family before any check on buf->len, so a short delivery from the dco-win driver would have produced a garbage peer address from uninitialized buffer memor [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1wVVNM-0007tp-EB Subject: [Openvpn-devel] [PATCH v1] socket: assert buffer length before reading prepended sockaddr family X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1867166891670350585 X-GMAIL-MSGID: 1867166891670350585 From: Lev Stipakov read_sockaddr_from_packet() inspected sa->sa_family before any check on buf->len, so a short delivery from the dco-win driver would have produced a garbage peer address from uninitialized buffer memory. The driver always prepends a full sockaddr and validates the family before writing, so reaching any of the size/family checks would mean something is severely wrong on the driver side - assert the three preconditions instead of M_FATAL'ing on them. GitHub: https://github.com/OpenVPN/openvpn-private-issues/issues/105 Change-Id: I2ce954aa5b74002be5e38d53783435736625bb2f Signed-off-by: Lev Stipakov Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1706 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1706 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 624ce4f..df2cc9e 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -2813,38 +2813,31 @@ { int sa_len = 0; + /* In dco-win multipeer mode the kernel driver always prepends a full + * sockaddr_in or sockaddr_in6 in front of the control-packet payload, + * so the buffer must hold at least sizeof(struct sockaddr_in) bytes + * before we may inspect sa_family. */ + ASSERT(buf_len(buf) >= (int)sizeof(struct sockaddr_in)); + const struct sockaddr *sa = (const struct sockaddr *)BPTR(buf); switch (sa->sa_family) { case AF_INET: sa_len = sizeof(struct sockaddr_in); - if (buf_len(buf) < sa_len) - { - msg(M_FATAL, - "ERROR: received incoming packet with too short length of %d -- must be at least %d.", - buf_len(buf), sa_len); - } - memcpy(dst, sa, sa_len); - buf_advance(buf, sa_len); break; case AF_INET6: sa_len = sizeof(struct sockaddr_in6); - if (buf_len(buf) < sa_len) - { - msg(M_FATAL, - "ERROR: received incoming packet with too short length of %d -- must be at least %d.", - buf_len(buf), sa_len); - } - memcpy(dst, sa, sa_len); - buf_advance(buf, sa_len); + ASSERT(buf_len(buf) >= sa_len); break; default: - msg(M_FATAL, "ERROR: received incoming packet with invalid address family %d.", - sa->sa_family); + ASSERT(0); /* driver validates the family before writing */ } + memcpy(dst, sa, sa_len); + buf_advance(buf, sa_len); + return sa_len; }