From patchwork Wed Jan 10 14:57:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3559 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:a213:b0:100:d2e5:60d with SMTP id bs19csp793803dyb; Wed, 10 Jan 2024 06:57:54 -0800 (PST) X-Google-Smtp-Source: AGHT+IEQo5NOHHwao5qksGIJG1OqXm5PJrfz/t3L6bNdyISWlrho/wQtt1cm2LY49roqgxFYYtuE X-Received: by 2002:a17:902:a386:b0:1d5:76b5:49a9 with SMTP id x6-20020a170902a38600b001d576b549a9mr1271627pla.4.1704898674486; Wed, 10 Jan 2024 06:57:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704898674; cv=none; d=google.com; s=arc-20160816; b=xdnEAxeYtzjEsxA3Ic7qfr13n83xCKGFhAdthRdaRrFtlIqLUDZSl0gsds2x5DsWtK 4mwD2zzjbi8pIf3QSbpFZTlM6H0UZKGckgAPPZvpIhHxwaSIzW2RkJndI8ESvLI12+n3 1Vb7FPsymHc8uiTPeE/Dm39XjfJMZ74prMQsCVtgm9OmyGiWlE+HqOt2433D8K+vz8HF 6Lq8WNbQg8UdaKO2zI7B5jZ6TxCb8JMuK6pHNIqjEyuIdv7Yw0bAREZ5FtmvWYr0cJT4 a/iuB34W01sAISIfG5gYa3G4q3LFrdY7FtzkvcjOSxz3PbdvwNilywjVKJVJ+UvMsjRo awHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=ZrFrdAfx8ZdjJoQqNdl014JXyxwm82NRmnE69bz9StY=; fh=GFP4qDxgyJ2WEPo/oeLZg3Mj4NqvY1j2nTvTt7psNwg=; b=pNB83D+6zc7Ik61+VIC3Nkgaof8auQMNkVkeCHjqhJyNy67gaZ/D06YTJCwV5VqMy2 sZz27cs+0unGsrAHPwxslmZdBDzxDUBV/L2ixmR2Fd34SdVlByqA1D5t/Txh250CN9He sS0N3BupSM0eZ7BHXSxoWBmFx6Vg526yWxjv9/w750l+ZxWIMx4LjDAyG9lsav0A2fi6 0p8wBj3JDitlgHcrgFrsdu7XoGFDSIzHHJdTLRqEwQaqFhkR+BtF9FS9QFh7Uz3YWStT yTM6gTmY64VOrR7/bq5XBN9b5YkNxmCoB1A2dQ0DU9iHP6AIpgN4VViV0JL6Ovf7yI02 J/cg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=DkU6jwvU; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=hfCk0JxX; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=NIVlB73d; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id u18-20020a170902e81200b001d4e308d709si1032615plg.403.2024.01.10.06.57.54 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Jan 2024 06:57:54 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=DkU6jwvU; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=hfCk0JxX; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=NIVlB73d; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rNa1G-0002a0-KW; Wed, 10 Jan 2024 14:57:26 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rNa1E-0002Zu-Ey for openvpn-devel@lists.sourceforge.net; Wed, 10 Jan 2024 14:57:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=R48ZKoQhAoCZgPiTxkV0rKTtCIPkb4UrIjyDm3ZXgv0=; b=DkU6jwvUh3Pg726hkQBQwG86jI SoHJHcWyhynBdYjSEBtdciJG33gzQyEb1rQ/TYZF57hKaaPxItNGgiihIHAOhfoZwXfTlKUJ2ykNN e6D2VpRBdVCNCnkQuU+INEbZ3I3K1pzWEnlQ9K93r9+ib4gTKLdWDrwmI7XidTRpedHI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=R48ZKoQhAoCZgPiTxkV0rKTtCIPkb4UrIjyDm3ZXgv0=; b=h fCk0JxXGiNM6sd06o5fGQSeN3P4dSKsmS2W0nzmuHbzObyeIyNJvfUlmMWMm5r5k7gjt21dsK5BVI 763Zen6ZN5tm8yYJn3G9JHyjRx6RWftFyCR0HrtYtfrtTIZh83Cn45lg2YoWyIYzg65aUoZHhN5QW XJWgZdCO9C03Vd6Q=; Received: from mail-wm1-f49.google.com ([209.85.128.49]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1rNa12-0007rQ-Fe for openvpn-devel@lists.sourceforge.net; Wed, 10 Jan 2024 14:57:17 +0000 Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-40e5508ecb9so13625945e9.3 for ; Wed, 10 Jan 2024 06:57:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1704898626; x=1705503426; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=R48ZKoQhAoCZgPiTxkV0rKTtCIPkb4UrIjyDm3ZXgv0=; b=NIVlB73dps07W59rzGKrvTtWifw/lOCWWNA7Q0PVuht9fxSYppO39sVIemnBs8/7GL 4B4e2foZ2e8xsiL7Xn0Y64nrBdLj66KVDZtJGqRPHDlDImROQkaifVJ6ojs35QEFHk3A XxeUwgmK0mQyEKczW3B/HawO8wdUh3HXyTrn+eV6benxfH/3Ls7cz4ZcPyzAXaIGT/uI GQFumvv3VsDEHs/OC5aPe4PxaoPVawRxlJdwNJgxppIXQV8wAmQPI8/FbPYK7Hynw4g0 3QbvFBH83Z8jIGF0uRNj1KmAdEUvqiD2rosbhOXCkXypobRk30ZRApu2C4M0E1IUyuQh l2Mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704898626; x=1705503426; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=R48ZKoQhAoCZgPiTxkV0rKTtCIPkb4UrIjyDm3ZXgv0=; b=QwP9J1M29rRHrJldpPYPVJtpjMvQO/ysacNATSi5LQFuK0xi0ZWXbayzY9XTsT2YZi eDIEc+NqAoS9Pvfa0KCmUpoSRz5JFFeadWS+Flgv/ow8OozE+Ogc5pEWUmG4ugTmUYGD pbp9UUUds9FRoGsAmtoz+/LMvsrFjG/Hh6eKq/r8I/h7iTnizVMx5gAmvi/QHxai9rWJ nMsyp6MXZ2ufkbOhR91iLhw6xdYO4TZwNwz2Jjc6GpIMvzCxLVW4ynu1xX5UFAJNYvlk ANo2F4RGn3TB4YRUjTerOo+NP38tbUbPxGwmxgLnCEvimsTM+i89UMJDrq0zGY/32GnX Eh4w== X-Gm-Message-State: AOJu0Yy6A4x09XHkjACsnDQnb+ZuQV3CetRlhtGz6USIC9zzs2JzY3zC FhI07qZ13TWBnKs/8wqa1+rR73Wm3UOsk+t8GadIuGCIlU0= X-Received: by 2002:a1c:740e:0:b0:40d:779c:d2b0 with SMTP id p14-20020a1c740e000000b0040d779cd2b0mr683297wmc.152.1704898625800; Wed, 10 Jan 2024 06:57:05 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id o23-20020a05600c511700b0040e4c1b0c14sm2484974wms.34.2024.01.10.06.57.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Jan 2024 06:57:05 -0800 (PST) From: "flichtenheld (Code Review)" X-Google-Original-From: "flichtenheld (Code Review)" X-Gerrit-PatchSet: 1 Date: Wed, 10 Jan 2024 14:57:05 +0000 To: plaisthos Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Icea931d29e3e504e23e045539b21013b42172664 X-Gerrit-Change-Number: 493 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: d3af61a73b52163b66eea765b8591337ecd9ded6 References: Message-ID: <24b0de3b3035d04c48fef070956d4e3bf7d03131-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.49 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.49 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.0 T_SCC_BODY_TEXT_LINE No description available. 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1rNa12-0007rQ-Fe Subject: [Openvpn-devel] [S] Change in openvpn[release/2.6]: NTLM: add length check to add_security_buffer X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: frank@lichtenheld.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1787715832707837894?= X-GMAIL-MSGID: =?utf-8?q?1787715832707837894?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/493?usp=email to review the following change. Change subject: NTLM: add length check to add_security_buffer ...................................................................... NTLM: add length check to add_security_buffer Especially ntlmv2_response can be very big, so make sure we not do exceed the size of the phase3 buffer. Change-Id: Icea931d29e3e504e23e045539b21013b42172664 Signed-off-by: Frank Lichtenheld --- M src/openvpn/ntlm.c 1 file changed, 10 insertions(+), 5 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/93/493/1 diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index 2e77214..2b735ec 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -167,8 +167,13 @@ static void add_security_buffer(int sb_offset, void *data, int length, - unsigned char *msg_buf, int *msg_bufpos) + unsigned char *msg_buf, int *msg_bufpos, size_t msg_bufsize) { + if (*msg_bufpos + length > msg_bufsize) + { + msg(M_WARN, "NTLM: security buffer too big for message buffer"); + return; + } /* Adds security buffer data to a message and sets security buffer's * offset and length */ msg_buf[sb_offset] = (unsigned char)length; @@ -396,20 +401,20 @@ if (ntlmv2_enabled) /* NTLMv2 response */ { add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16, - phase3, &phase3_bufpos); + phase3, &phase3_bufpos, sizeof(phase3)); } else /* NTLM response */ { - add_security_buffer(0x14, ntlm_response, 24, phase3, &phase3_bufpos); + add_security_buffer(0x14, ntlm_response, 24, phase3, &phase3_bufpos, sizeof(phase3)); } /* username in ascii */ add_security_buffer(0x24, username, strlen(username), phase3, - &phase3_bufpos); + &phase3_bufpos, sizeof(phase3)); /* Set domain. If is empty, default domain will be used * (i.e. proxy's domain) */ - add_security_buffer(0x1c, domain, strlen(domain), phase3, &phase3_bufpos); + add_security_buffer(0x1c, domain, strlen(domain), phase3, &phase3_bufpos, sizeof(phase3)); /* other security buffers will be empty */ phase3[0x10] = phase3_bufpos; /* lm not used */