[Openvpn-devel,v2] proto: correct 802.1Q length check in is_ipv_X

Message ID 20260715202210.9010-1-gert@greenie.muc.de
State New
Headers
Series [Openvpn-devel,v2] proto: correct 802.1Q length check in is_ipv_X |

Commit Message

Gert Doering July 15, 2026, 8:22 p.m. UTC
  From: rootvector2 <dxbnaveed.k@gmail.com>

Github: OpenVPN/openvpn#1044

This has also been reported twice as a security relevant bug, but
only later than the original finding - and it isn't.

While --client-nat would modify a 32bit integer "after the packet"
(the place where an IPv4 address would be, in a well-formed packet),
the underlying buffer is always max-frame sized, and we never look
at the "modified integer" afterwards, so there are no consequences
warranting allocation of a CVE ID.

Signed-off-by: rootvector2 <dxbnaveed.k@gmail.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1789
Reported-By: 章鱼哥 (www.aipyaipy.com)
Reported-By: Yu Zhang Wong <wongyuzhang45@gmail.com>
Change-Id: I8219c6295acf28ff10ddb2fcc285f813c42fa8fe
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1789
This mail reflects revision 2 of this Change.

Acked-by according to Gerrit (reflected above):
Arne Schwabe <arne-openvpn@rfc2549.org>
Antonio Quartulli <antonio@mandelbit.com>
  

Patch

diff --git a/src/openvpn/proto.c b/src/openvpn/proto.c
index 13fe0a5..785c021 100644
--- a/src/openvpn/proto.c
+++ b/src/openvpn/proto.c
@@ -70,7 +70,7 @@ 
         if (proto == htons(OPENVPN_ETH_P_8021Q))
         {
             const struct openvpn_8021qhdr *evh;
-            if (BLENZ(buf) < sizeof(struct openvpn_ethhdr) + sizeof(struct openvpn_iphdr))
+            if (BLENZ(buf) < sizeof(struct openvpn_8021qhdr) + sizeof(struct openvpn_iphdr))
             {
                 return false;
             }