From patchwork Fri Jan 12 14:14:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3566 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:a213:b0:100:d2e5:60d with SMTP id bs19csp2074500dyb; Fri, 12 Jan 2024 06:14:49 -0800 (PST) X-Google-Smtp-Source: AGHT+IFc7u0YWqJaNj4rEszJOOTTntnbxZSeC6LfLJLEjMZZ9+J2fVpoevzVGa4bvw5qXAUQZEy6 X-Received: by 2002:a05:6358:727:b0:175:a4a6:1ac6 with SMTP id e39-20020a056358072700b00175a4a61ac6mr3086076rwj.1.1705068889381; Fri, 12 Jan 2024 06:14:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705068889; cv=none; d=google.com; s=arc-20160816; b=zwt+2UYWiTlSA5aFbZHtToT8a9RU6lYob3P8RC49CXvMgm06YNKDsmkdMSd12f0ExV n0uuCsu6Pk0Z+JKUCejzamJiIQxedPNAUPE8sDQW/fSCNsqi6E3Vj2csUQlD4Fuz0Trm KokRbtzltKv5B27m5otvHUNOe+xM4T7KiK/ML8J4E4CFJylLm7KW++P74+ZaB/hhgND8 TWyHp+UTLJjkltQjEhM6ZtoE8qiCIm2JXtzUCYPmPCS5GV0PyGyVsk/JkJaDMR6j/25W 2n5wMoVGZkjvC7flXH7hvU5Pu8t5nnKjrSxO7tzdglJpNjcNrHH8y0SYmHAqZjfT7dNP YYDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=DQZ1o0EYCOpWq7qW+e6IGr3Fw94dkrKzXbqr9m/OpgQ=; fh=GFP4qDxgyJ2WEPo/oeLZg3Mj4NqvY1j2nTvTt7psNwg=; b=NdUcARMASK9PHh0Q2aGWCzXV7AEnGR0Ou97OvSDheVcSAUM7aBglPVtWFZOiPGQ5q2 y3EeTwsmPAb4qyI9eDNFUZGzh09iYNB4iSt2dFBUwWXLXt/sxXN55MfCdJ35QF7C4nIJ gYxJj/BUpM2TBzKhfOgnhAE+pxMa4pP4RBuFoWkzCR1sURPGiukjeVcZFZDeadvUhVZj 5HagnumbjFzq91wcM8JdGh2dxRv09/EPBDifXo/YRm45kW9RndaTMTYuSvA+yTvCntUe 09ye0+o7C17DxwZLcSoRDmj6fA+sz9GieAXRZU4E1mLghzAU5rzvodT137G3pK1a5Ai9 er8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=it2NIFnf; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=SU1WQIyD; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=WYfepplK; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id cg10-20020a056a00290a00b006d8a3849027si3271446pfb.325.2024.01.12.06.14.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Jan 2024 06:14:49 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=it2NIFnf; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=SU1WQIyD; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=WYfepplK; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rOIIh-0003cM-Ax; Fri, 12 Jan 2024 14:14:23 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rOIIe-0003cG-Qz for openvpn-devel@lists.sourceforge.net; Fri, 12 Jan 2024 14:14:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+cuyARzAq9yw2Z7xJdL8ccq8U/vRYDLegZOCXTmQNCg=; b=it2NIFnfHqVyZdjKJ5bhf7LTfv pPEgdU+zh3pVMOl3NIGplNUND3L8ueyi39CY9sEBjjhNoStNffUbu2DyvAQiJpN9fR/8EzqZCYXiT +QSYZZQsxCLgo2V409uOOBwx8a4Qlqg4fqp1MHlAb39eWFQ4EMsA8ZR66smd9otmLbwQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=+cuyARzAq9yw2Z7xJdL8ccq8U/vRYDLegZOCXTmQNCg=; b=S U1WQIyDh+kImKMah13WJ5HKKetatFhh2lc+kk8CPh/pPkAapETab4a6ceM3o34z1P0NH5Jkm78Wsr 0JibwQk5rJM6gqIWrz0ouDRX0tmSevBhFibyxS0qiYnEqxDl82TxQbE9GzEpvfUGGUe3E+6QVIy9r ihTtX3RoT3woub/A=; Received: from mail-wm1-f48.google.com ([209.85.128.48]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1rOIIa-00083f-UV for openvpn-devel@lists.sourceforge.net; Fri, 12 Jan 2024 14:14:21 +0000 Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-40e5f615a32so17618615e9.1 for ; Fri, 12 Jan 2024 06:14:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1705068846; x=1705673646; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=+cuyARzAq9yw2Z7xJdL8ccq8U/vRYDLegZOCXTmQNCg=; b=WYfepplKEKcY95MPNqN29tEcIJkIE5pJgM3h5ol6o55gc7SVYeMGWE0ZfgY1lMNgHi wtIsdHC1KM6WF8yL/MQH4GX08KFTXey5B6dJRLjxbcquL6IWo79atmn1V+7q0YG4KgIf SovuKJ2MtHR0Fq9IHCAPgEacaSF+iVe4PJTcUtTcGnp1su2STkXIyhb/bh7Vc7AYdLeW Ot8bAntuRLlVkJVMT3vvsLueIAjWhH2kCszfy4j3Okj7haS+jiZ6nXAGoXxWrW/VF/ck PnBPYdVEH31+sGR0sokGIhThrKVkZmIxobDuwKSxH04nEyJX0WFi7ZSkBkt0J4uLJ6Ot mReQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705068846; x=1705673646; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+cuyARzAq9yw2Z7xJdL8ccq8U/vRYDLegZOCXTmQNCg=; b=NW7sbdIyY3cdqCWj7pf0LH5XralmvJ9mQeFJY14mZa9976cSURJWMAorwivuL4oNPh VgtWh5+YmvyRLaWO88751RtUlEtaZjwyiYfgnNrb8YH+cWAWqc91wFTZKF4+Frw2OhfF sxPYjKS39NDPEp0xlzv1enpSOGjRTRFhd+N2ZY1vibMb33QFCl2wdDLjg0msDbjOFu0H VUItqjtbwVnrKackatUtVjfRHvgtYfKkg2yYKOTQajVe8sYq2JSC0Q+48BCkuzOlqAXN nDiwqtpduTfbPEQxpMrEm6HQ0S5XGj2BdrIxxkfZimlQkuZHbGCudcpJ+1g+NQs18OYO 4bJw== X-Gm-Message-State: AOJu0Yw20t858oJ6n0jqwcLdwpVjCeHuhyidhEnu5eYR0PO8moqljdcp xjHc//fEMhMVfUNIUFg7pcjImwX3DKVRZXZ43BkW0bpm+xo= X-Received: by 2002:a5d:448a:0:b0:337:5a17:8823 with SMTP id j10-20020a5d448a000000b003375a178823mr371066wrq.177.1705068846057; Fri, 12 Jan 2024 06:14:06 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id r16-20020adfca90000000b00337464bf723sm3980507wrh.18.2024.01.12.06.14.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jan 2024 06:14:05 -0800 (PST) From: "flichtenheld (Code Review)" X-Google-Original-From: "flichtenheld (Code Review)" X-Gerrit-PatchSet: 1 Date: Fri, 12 Jan 2024 14:14:05 +0000 To: plaisthos Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Icea931d29e3e504e23e045539b21013b42172664 X-Gerrit-Change-Number: 496 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 5a09f843d9355ddd8f313e38895b3cb151f817e3 References: Message-ID: <320bdf33a7061a119b72f102b23372cad33a6722-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.48 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.48 listed in wl.mailspike.net] 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rOIIa-00083f-UV Subject: [Openvpn-devel] [S] Change in openvpn[master]: NTLM: add length check to add_security_buffer X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: frank@lichtenheld.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1787894315560671719?= X-GMAIL-MSGID: =?utf-8?q?1787894315560671719?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/496?usp=email to review the following change. Change subject: NTLM: add length check to add_security_buffer ...................................................................... NTLM: add length check to add_security_buffer Especially ntlmv2_response can be very big, so make sure we not do exceed the size of the phase3 buffer. Change-Id: Icea931d29e3e504e23e045539b21013b42172664 Signed-off-by: Frank Lichtenheld --- M src/openvpn/ntlm.c 1 file changed, 9 insertions(+), 4 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/96/496/1 diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index bc33f41..99d4ae7 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -154,8 +154,13 @@ static void add_security_buffer(int sb_offset, void *data, int length, - unsigned char *msg_buf, int *msg_bufpos) + unsigned char *msg_buf, int *msg_bufpos, size_t msg_bufsize) { + if (*msg_bufpos + length > msg_bufsize) + { + msg(M_WARN, "NTLM: security buffer too big for message buffer"); + return; + } /* Adds security buffer data to a message and sets security buffer's * offset and length */ msg_buf[sb_offset] = (unsigned char)length; @@ -362,15 +367,15 @@ /* NTLMv2 response */ add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16, - phase3, &phase3_bufpos); + phase3, &phase3_bufpos, sizeof(phase3)); /* username in ascii */ add_security_buffer(0x24, username, strlen(username), phase3, - &phase3_bufpos); + &phase3_bufpos, sizeof(phase3)); /* Set domain. If is empty, default domain will be used * (i.e. proxy's domain) */ - add_security_buffer(0x1c, domain, strlen(domain), phase3, &phase3_bufpos); + add_security_buffer(0x1c, domain, strlen(domain), phase3, &phase3_bufpos, sizeof(phase3)); /* other security buffers will be empty */ phase3[0x10] = phase3_bufpos; /* lm not used */