From patchwork Wed Nov 8 12:49:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3418 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:50e4:b0:f2:62eb:61c1 with SMTP id r4csp378993dyd; Thu, 9 Nov 2023 03:26:10 -0800 (PST) X-Google-Smtp-Source: AGHT+IGgks7IeO4YLvW3V1+zFXFDU/ZtMzt34o5L9ly7UAjT+OiwQJ9sgiz9MwEeU0BhsB9TIEjM X-Received: by 2002:a17:902:f550:b0:1cc:3202:dcca with SMTP id h16-20020a170902f55000b001cc3202dccamr5041441plf.2.1699529169806; Thu, 09 Nov 2023 03:26:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1699529169; cv=none; d=google.com; s=arc-20160816; b=hBYain9zeAmIQ9oHFP7LaZhkvZNyuyn36pjZnIzsZ40389NcUAFATzeOwN5SNoFHdV 1SLfeV2fLskXSOMJsARh98o1mU4/CyHOf8tUHUMpldz/hLjbDYm1IcB/e/sPPHlyYZf8 Kt8Yz00UPSpLHFO10TjAVYk/BqeLuZTdonxRU6yR0wqkUkAKJfJ+t/tbur3OBLVGv55v 1vydT2W8+kkSKdPgdenfH46o1ykENppACC2pLWSdRBCIeaYSjLIVz9fOmvXluyepeLcA FmI/rxgiltLWXKfuDjWFsHysvF/z584fRwsH9AEtz8x3hZ8UMB2a+MKgGPSkpTDEeH0R KElw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:resent-to:resent-message-id :resent-date:resent-from:dkim-signature:dkim-signature; bh=IhjNd7HnIhzEm1W3796ZGoSNSPV5uzhXNUrLmpcrlLs=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=iZMg3R9otlMTb9UQX3cJCGuVGHzgDBnLf85y/mGshYWaPNv6JlWyai+3J8Do2p415o TZng5PWxrRUD26r5QO29zELluTagCOF++5ubuDR1jQ1VG7fICAceXWYAmqXIO0oz7FI3 9+ysKAI04RVdCZ1lMUXGDy7IfpXcdbzMIH7+o9JEBUZBruyhH0LWjokdoxJVRy7/lD7H 6VxLFQIrM7hcpAEhQCZ/pkDMi16lb/hj9w1SxHllz7W34BBk8KG0RqzEw5jteQSodl5+ EbuYckOe7rWBGEwavcoelP8zFwh7MA8E0nCgCB34kwS+zEL/fAvJPVJ5zLvomp3LI7M/ 1V3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=R+Dg1tFS; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="dfwc/6Vz"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id m12-20020a170902db0c00b001ca27dfde3dsi5185555plx.541.2023.11.09.03.26.09 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Nov 2023 03:26:09 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=R+Dg1tFS; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="dfwc/6Vz"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1r139t-0005Gi-CK; Thu, 09 Nov 2023 11:25:12 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1r139p-0005GY-Lh for openvpn-devel@lists.sourceforge.net; Thu, 09 Nov 2023 11:25:08 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID: Date:Subject:To:From:Resent-To:Resent-Message-ID:Resent-Date:Resent-From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Sender: Resent-Cc:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Yykniw/pl7C1qTXKh2lg9pn5uIn3EtLfpWu18MFTF14=; b=R+Dg1tFS+t1TGWVb5s9NLdI48Q MKaMCgPQ4elL+iyUq2CxmgftnwgASu3qeVQhsQEJoTIKgSuZCTEbJWMJrGL0+wP9JkcDKBHEdGdJC HzNiyuKbBI7nIc4PXpTLqWwvGqPu5AETe9akfRWCnQ0OxWM/FR4TSGcbvaqXCv3x92Bw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:To:From: Resent-To:Resent-Message-ID:Resent-Date:Resent-From:Sender:Reply-To:Cc: Content-Type:Content-ID:Content-Description:Resent-Sender:Resent-Cc: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Yykniw/pl7C1qTXKh2lg9pn5uIn3EtLfpWu18MFTF14=; b=dfwc/6Vzcz3zl9YuJALj98xXyL 2gyl34RUcvXrnHDWQk5AVqHbNdYkzbcRQg/BAdKOYvdUFYmY6Aik2yzGKYSYeGWK9mNocis/kBWRZ gqB7W5lVRvvf3Wx+TGburuGrVCkcbAG1WFi0mtdm+NF6NzX/oTsxtJL4/8z3YAmcJ6Kc=; Received: from chekov.greenie.muc.de ([193.149.48.178]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1r139j-000Slb-Iq for openvpn-devel@lists.sourceforge.net; Thu, 09 Nov 2023 11:25:07 +0000 Received: from chekov.greenie.muc.de (localhost [127.0.0.1]) by chekov.greenie.muc.de (8.17.1/8.17.1) with ESMTPS id 3A9BOsu7020086 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Thu, 9 Nov 2023 12:24:54 +0100 (CET) (envelope-from gert@chekov.greenie.muc.de) Received: (from gert@localhost) by chekov.greenie.muc.de (8.17.1/8.17.1/Submit) id 3A9BOste020085 for openvpn-devel@lists.sourceforge.net; Thu, 9 Nov 2023 12:24:54 +0100 (CET) (envelope-from gert) Resent-From: Gert Doering Resent-Date: Thu, 9 Nov 2023 12:24:54 +0100 Resent-Message-ID: Resent-To: openvpn-devel@lists.sourceforge.net X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on chekov.greenie.muc.de X-Spam-Level: X-Spam-Status: No, score=-101.9 required=7.0 tests=BAYES_00, USER_IN_WELCOMELIST autolearn=no autolearn_force=no version=4.0.0 Received: from vmail1.greenie.net (root@vmail1.greenie.net [IPv6:2001:608:1:995a:20c:29ff:feb8:10eb]) by chekov.greenie.muc.de (8.17.1/8.17.1) with ESMTPS id 3A8CnmfC076836 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Wed, 8 Nov 2023 13:49:48 +0100 (CET) (envelope-from gert@chekov.greenie.muc.de) Received: from chekov.greenie.muc.de (chekov.greenie.muc.de [IPv6:2001:608:4:0:0:0:ce:c0f]) by vmail1.greenie.net (8.17.2/8.16.1) with ESMTPS id 3A8CnlVA058521 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL) for ; Wed, 8 Nov 2023 13:49:48 +0100 (CET) Received: from chekov.greenie.muc.de (localhost [127.0.0.1]) by chekov.greenie.muc.de (8.17.1/8.17.1) with ESMTPS id 3A8Cnl1l076826 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Wed, 8 Nov 2023 13:49:47 +0100 (CET) (envelope-from gert@chekov.greenie.muc.de) Received: (from gert@localhost) by chekov.greenie.muc.de (8.17.1/8.17.1/Submit) id 3A8CnleL076822 for gert@greenie.muc.de; Wed, 8 Nov 2023 13:49:47 +0100 (CET) (envelope-from gert) From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 8 Nov 2023 13:49:45 +0100 Message-ID: <20231108124947.76816-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.42.0 MIME-Version: 1.0 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.4 (vmail1.greenie.net [IPv6:2001:608:1:995a:20c:29ff:feb8:10eb]); Wed, 08 Nov 2023 13:49:48 +0100 (CET) X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe This code was necessary before the frame/buffer refactoring as we always did relative adjustment to the frame. This also fixes also that previously initial_frame was initialised too early before the fragment related options were initialised and contained 0 for the maximum frame size. This resulted in a DIV by [...] Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1r139j-000Slb-Iq Subject: [Openvpn-devel] [PATCH 1/3] Remove saving initial frame code X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net Sender: "Openvpn-devel" X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1782085498538532094?= X-GMAIL-MSGID: =?utf-8?q?1782085498538532094?= From: Arne Schwabe This code was necessary before the frame/buffer refactoring as we always did relative adjustment to the frame. This also fixes also that previously initial_frame was initialised too early before the fragment related options were initialised and contained 0 for the maximum frame size. This resulted in a DIV by 0 that caused an abort on platforms that throw an exception for that. CVE: 2023-46849 Only people with --fragment in their config are affected Change-Id: Icc612bab5700879606290639e1b8773f61ec670d Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 9 --------- src/openvpn/init.c | 19 ++++++++----------- src/openvpn/openvpn.h | 3 --- 3 files changed, 8 insertions(+), 23 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 2510410f9..0443ca0a0 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1078,15 +1078,6 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, floated, &ad_start)) { - /* Restore pre-NCP frame parameters */ - if (is_hard_reset_method2(opcode)) - { - c->c2.frame = c->c2.frame_initial; -#ifdef ENABLE_FRAGMENT - c->c2.frame_fragment = c->c2.frame_fragment_initial; -#endif - } - interval_action(&c->c2.tmp_int); /* reset packet received timer if TLS packet */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 019f5a4f6..8c707a463 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3537,15 +3537,6 @@ do_init_frame(struct context *c) */ frame_finalize_options(c, NULL); -#ifdef ENABLE_FRAGMENT - /* - * Set frame parameter for fragment code. This is necessary because - * the fragmentation code deals with payloads which have already been - * passed through the compression code. - */ - c->c2.frame_fragment = c->c2.frame; - c->c2.frame_fragment_initial = c->c2.frame_fragment; -#endif #if defined(ENABLE_FRAGMENT) /* @@ -3736,6 +3727,14 @@ static void do_init_fragment(struct context *c) { ASSERT(c->options.ce.fragment); + + /* + * Set frame parameter for fragment code. This is necessary because + * the fragmentation code deals with payloads which have already been + * passed through the compression code. + */ + c->c2.frame_fragment = c->c2.frame; + frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, &c->options, get_link_socket_info(c)); fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment); @@ -4640,8 +4639,6 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f c->c2.did_open_tun = do_open_tun(c, &error_flags); } - c->c2.frame_initial = c->c2.frame; - /* print MTU info */ do_print_data_channel_mtu_parms(c); diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 077effeb9..5b2be63f9 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -249,14 +249,11 @@ struct context_2 /* MTU frame parameters */ struct frame frame; /* Active frame parameters */ - struct frame frame_initial; /* Restored on new session */ #ifdef ENABLE_FRAGMENT /* Object to handle advanced MTU negotiation and datagram fragmentation */ struct fragment_master *fragment; struct frame frame_fragment; - struct frame frame_fragment_initial; - struct frame frame_fragment_omit; #endif /* From patchwork Wed Nov 8 12:49:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3419 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:50e4:b0:f2:62eb:61c1 with SMTP id r4csp379019dyd; Thu, 9 Nov 2023 03:26:13 -0800 (PST) X-Google-Smtp-Source: AGHT+IHKJXEDZpLEGSEnqIoZOPhlBGvIaAgZDXdctcYD228RtlTK3v5r/ytdCJmrEiMwpfpqZeOs X-Received: by 2002:a05:6808:308b:b0:3b2:efd3:e78c with SMTP id bl11-20020a056808308b00b003b2efd3e78cmr5371232oib.1.1699529173478; Thu, 09 Nov 2023 03:26:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1699529173; cv=none; d=google.com; s=arc-20160816; b=vYGh1jPoagCy4M8oHy3yXvZkz2NCfB02oxWLZ9hg9gOP3xc7yrV93eQHTlWnt/87Kh AL1T7L8kcLl+4MAS9I8LImVNAZav1veD0dqj6V7YkJw+GHw4U5xEMVjG3bYhtx9AdnYC 0oe+1bGDYe5eOyMBMDgvkhoJ+vOdCjrWiGmTpjGcxzW72Qi4mjWLKdo4Ro6jBlkDnDHD O77tCeMC8W+IUjEXQxkizAV+OccIpum+muZRl6ldpRL1stgaY2JfNvSNHv06ZnjfpHO5 zgtavecKCgGyKzD3DW90apQOgPEUVic7f6CB/x2JeIcbJj28SpzhWQ/ogVMLJ4ZWQyM7 gbdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :resent-to:resent-message-id:resent-date:resent-from:dkim-signature :dkim-signature; bh=NLlFaqg8SVKbjK79omqw9BAFfwv86zlNu+tPxWdBqgo=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=LEfyc+iIkXN0yu6lvwvAqzzWXJKArHGpymyyFbmmkLqOzEsG79mz5Feaj+kjyQyZoH Ma0MR2r8ojgVkEchKEyudgeFjsrbYt9OMD4Q42jNA3cpQgk/j5cSNINxGJ6fnHnUGwWY f4R19ivIldKbvziVOAwtJmbZ4NRvbETBrT1jcPaigD98au2RgbQcJHU+unyFw6UhKIgE 2AW57gIJyQr/MnJrJbOAdjUBqHUZZwr+OAgmBNduKcHXuyB7JXK1uDJNu1t1XT+eb0aL g2VxKBJVvIS4hhjz4LodVJKdt8QV+8CCvtZaOXrWqwH4H0U35sPvYDYcjQAI1Y7ukre9 90xw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=fT5qIUJI; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Fl67Xk7w; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id n185-20020a6340c2000000b005b92db1e113si6722769pga.702.2023.11.09.03.26.13 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Nov 2023 03:26:13 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=fT5qIUJI; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Fl67Xk7w; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1r13A0-0000bI-39; Thu, 09 Nov 2023 11:25:19 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1r139x-0000bB-RA for openvpn-devel@lists.sourceforge.net; Thu, 09 Nov 2023 11:25:16 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Resent-To:Resent-Message-ID: Resent-Date:Resent-From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Sender:Resent-Cc:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=5/92R4FjzQCXNXFRh1exDEiWhkTyPSfNgHBbNwTjPIk=; b=fT5qIUJIgfPwcFply4hkEwa7Z3 wLQ+uj2TvZcTxtqxJlZx+XXoUcKsYSryXbskbIQWHxib78VcoRIYC8oARuHFD4uO7TbcKHCPbo+5E yDtRU3sT00cOtSPjZSg+fBxhlBTME+RrfLuxdjeOcTlUcgpHYvVRiMlXsH0n6KJnQSfs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Resent-To:Resent-Message-ID:Resent-Date:Resent-From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Sender: Resent-Cc:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=5/92R4FjzQCXNXFRh1exDEiWhkTyPSfNgHBbNwTjPIk=; b=F l67Xk7wFw0b4UMcWn/7kNMwAaU8P/Ix3YKeiL/H4WAZwBQfnH85avatTHxnAg0+MM6ugA547xdIC8 jqwvw24v8PmZLmaGRPvGp8ROJm5uoNfYMS09HOhgUK5hIUvcMRGWxMGsR9JZmmfHQjQXiFLrLdKO7 /io+px4RETc+EgVA=; Received: from chekov.greenie.muc.de ([193.149.48.178]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1r139u-000Spp-NJ for openvpn-devel@lists.sourceforge.net; Thu, 09 Nov 2023 11:25:16 +0000 Received: from chekov.greenie.muc.de (localhost [127.0.0.1]) by chekov.greenie.muc.de (8.17.1/8.17.1) with ESMTPS id 3A9BP7A2020123 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Thu, 9 Nov 2023 12:25:07 +0100 (CET) (envelope-from gert@chekov.greenie.muc.de) Received: (from gert@localhost) by chekov.greenie.muc.de (8.17.1/8.17.1/Submit) id 3A9BP7so020122 for openvpn-devel@lists.sourceforge.net; Thu, 9 Nov 2023 12:25:07 +0100 (CET) (envelope-from gert) Resent-From: Gert Doering Resent-Date: Thu, 9 Nov 2023 12:25:07 +0100 Resent-Message-ID: Resent-To: openvpn-devel@lists.sourceforge.net X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on chekov.greenie.muc.de X-Spam-Level: X-Spam-Status: No, score=-101.9 required=7.0 tests=BAYES_00, USER_IN_WELCOMELIST autolearn=no autolearn_force=no version=4.0.0 Received: from vmail1.greenie.net (root@vmail1.greenie.net [IPv6:2001:608:1:995a:20c:29ff:feb8:10eb]) by chekov.greenie.muc.de (8.17.1/8.17.1) with ESMTPS id 3A8CnmNo076839 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Wed, 8 Nov 2023 13:49:48 +0100 (CET) (envelope-from gert@chekov.greenie.muc.de) Received: from chekov.greenie.muc.de (chekov.greenie.muc.de [IPv6:2001:608:4:0:0:0:ce:c0f]) by vmail1.greenie.net (8.17.2/8.16.1) with ESMTPS id 3A8Cnml6058522 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL) for ; Wed, 8 Nov 2023 13:49:48 +0100 (CET) Received: from chekov.greenie.muc.de (localhost [127.0.0.1]) by chekov.greenie.muc.de (8.17.1/8.17.1) with ESMTPS id 3A8CnluQ076831 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Wed, 8 Nov 2023 13:49:48 +0100 (CET) (envelope-from gert@chekov.greenie.muc.de) Received: (from gert@localhost) by chekov.greenie.muc.de (8.17.1/8.17.1/Submit) id 3A8CnlUW076830 for gert@greenie.muc.de; Wed, 8 Nov 2023 13:49:47 +0100 (CET) (envelope-from gert) From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 8 Nov 2023 13:49:46 +0100 Message-ID: <20231108124947.76816-2-gert@greenie.muc.de> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231108124947.76816-1-gert@greenie.muc.de> References: <20231108124947.76816-1-gert@greenie.muc.de> MIME-Version: 1.0 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.4 (vmail1.greenie.net [IPv6:2001:608:1:995a:20c:29ff:feb8:10eb]); Wed, 08 Nov 2023 13:49:48 +0100 (CET) X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe This is a find cases where the session already has planned to send out a packet but encounters some other errors that invalidate the session, setting it to S_ERROR and leaving the buffer behind. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: work.data] 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1r139u-000Spp-NJ Subject: [Openvpn-devel] [PATCH 2/3] Double check that we do not use a freed buffer when freeing a session X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net Sender: "Openvpn-devel" X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1782085502628416774?= X-GMAIL-MSGID: =?utf-8?q?1782085502628416774?= From: Arne Schwabe This is a find cases where the session already has planned to send out a packet but encounters some other errors that invalidate the session, setting it to S_ERROR and leaving the buffer behind. This will detect and clear that to_link buffer in that case. Change-Id: I5ffb41bed1c9237946b13d787eb4c4013e0bec68 Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 5e6205cc2..e15f951d6 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3155,6 +3155,53 @@ tls_process(struct tls_multi *multi, return false; } + +/** + * This is a safe guard function to double check that a buffer from a session is + * not used in a session to avoid a use after free. + * + * @param to_link + * @param session + */ +static void +check_session_buf_not_used(struct buffer *to_link, struct tls_session *session) +{ + uint8_t *dataptr = to_link->data; + if (!dataptr) + { + return; + } + + /* Checks buffers in tls_wrap */ + if (session->tls_wrap.work.data == dataptr) + { + msg(M_INFO, "Warning buffer of freed TLS session is " + "still in use (tls_wrap.work.data)"); + goto used; + } + + for (int i = 0; i < KS_SIZE; i++) + { + struct key_state *ks = &session->key[i]; + for (int j = 0; j < ks->send_reliable->size; j++) + { + if (ks->send_reliable->array[i].buf.data == dataptr) + { + msg(M_INFO, "Warning buffer of freed TLS session is still in" + " use (session->key[%d].send_reliable->array[%d])", + i, j); + + goto used; + } + } + } + return; + +used: + to_link->len = 0; + to_link->data = 0; + /* for debugging, you can add an ASSERT(0); here to trigger an abort */ +} /* * Called by the top-level event loop. * @@ -3253,6 +3300,7 @@ tls_multi_process(struct tls_multi *multi, } else { + check_session_buf_not_used(to_link, session); reset_session(multi, session); } } From patchwork Wed Nov 8 12:49:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3420 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:50e4:b0:f2:62eb:61c1 with SMTP id r4csp379069dyd; Thu, 9 Nov 2023 03:26:19 -0800 (PST) X-Google-Smtp-Source: AGHT+IEwLWVmje4+r0SKguGmSmnGah4y11X8JRNIHrkwpFuiIHrvAKfp/q5cTlTh5iib+1Hr5+gk X-Received: by 2002:a05:6808:159b:b0:3b5:6432:e0fa with SMTP id t27-20020a056808159b00b003b56432e0famr5792281oiw.4.1699529178972; Thu, 09 Nov 2023 03:26:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1699529178; cv=none; d=google.com; s=arc-20160816; b=g/NOt4E+c6vRUeX9Fh9CD+4LVIkyJnTezuhbImCEgxJ3MY48iJAlenHoHUaiacDh0G aUFDFOdqfhYLcVE1TXiFDfuNpm1fkrjxIzmDJ+rYgi3Tzjk4T1lDYiHhjyqdSUgKFCN+ zhjyfSoX/cXVA768geF1YNjqAuMFfAf2fpkw1FGgobHsGnXik6SqvVkbtQMOH6ykoz1S mxJq17b1vuTIe5wC8f4nTjwprEdT0xwrN8z+mZzH91VhTFGXQqXgeoVuAWEHItpShm5A SKGKrUVJB0BCYXL6SZFbhG9sQnDqOf/+nSlVs8MGj/FyrYgeH4FyDcFGp5wy5B9E05hq YYcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :resent-to:resent-message-id:resent-date:resent-from:dkim-signature :dkim-signature; bh=4OjaaMTkI2J/5LfryDhUsIJAsHQ/+1/o3z+Fch30c4M=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=WRnCxbMxKpmxyHUwu620e7Jop+d5ES1n8XQu9OsPHI1uS8eMZvnbQlBk7tAYDISfLZ ceG8JdekW//jvMmIxBfrYRku8xQWjxDj7oNDo79WsaxUF2zexThU7iavTy2Ve5PANTq0 wnC1i2GIa+N6IGXL5uASFglahYxJLPx3ZUtyjURxMpmJ2/URn1MOoJqhj9Lh/GIkx1Mv Lx6fhxcpcYYl3+810CHVvxXklbkz5FH9VzjrQnEzrAIWGZP2HWnTBjzH2hIj0KzJHLN8 NrPgSerQcQ13kaLiPH3QGNRfZDwZFbENjDv6/6NAFIo92vSwkmZryamrxUtvelE9Nz+I 3i4w== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=B9WJGNrx; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VqB2Lq3s; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id g9-20020a656cc9000000b005b9b68add9asi8081224pgw.255.2023.11.09.03.26.18 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Nov 2023 03:26:18 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=B9WJGNrx; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VqB2Lq3s; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1r13AA-0002fL-Rr; Thu, 09 Nov 2023 11:25:30 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1r13AA-0002fE-0z for openvpn-devel@lists.sourceforge.net; Thu, 09 Nov 2023 11:25:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Resent-To:Resent-Message-ID: Resent-Date:Resent-From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Sender:Resent-Cc:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=9QzL6zAhnALW/NEACToXjlUOOiSfKH7u2qbAjzuAR2A=; b=B9WJGNrxHFKD2YJEQ0n7Pg8qtg U3qlxc1M/IAs5W7ZWchGB4ISxBuytfoc9g5TCunZUSfiX41V1UNjzq71KXNhUHZohjBfFnkU5gxgy 5rAgWgfQ1Mcje3deJrM3gNVRrQ8KUZM72Vrxaf8Z05padzfc9a07bukuFp3/BT1z9fwg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Resent-To:Resent-Message-ID:Resent-Date:Resent-From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Sender: Resent-Cc:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=9QzL6zAhnALW/NEACToXjlUOOiSfKH7u2qbAjzuAR2A=; b=V qB2Lq3sdMYru0ReDrfcrP3Pr2vgqlkjMnSsZbfxCaNPfAOVWDv/PiewnYLrxc9TS66e8L+QmQxXoy Rq5x7W2nKz3S3BHKiV5vwa+GzO1m8GX5U6NOYy9ybGbDfSY33XN2/lGovub6nsYlRZjbAmmk8y0Nm AiFkvM/hPJYFsYt4=; Received: from chekov.greenie.muc.de ([193.149.48.178]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1r13A8-0006K8-L9 for openvpn-devel@lists.sourceforge.net; Thu, 09 Nov 2023 11:25:29 +0000 Received: from chekov.greenie.muc.de (localhost [127.0.0.1]) by chekov.greenie.muc.de (8.17.1/8.17.1) with ESMTPS id 3A9BPLhJ020160 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Thu, 9 Nov 2023 12:25:21 +0100 (CET) (envelope-from gert@chekov.greenie.muc.de) Received: (from gert@localhost) by chekov.greenie.muc.de (8.17.1/8.17.1/Submit) id 3A9BPLfP020159 for openvpn-devel@lists.sourceforge.net; Thu, 9 Nov 2023 12:25:21 +0100 (CET) (envelope-from gert) Resent-From: Gert Doering Resent-Date: Thu, 9 Nov 2023 12:25:21 +0100 Resent-Message-ID: Resent-To: openvpn-devel@lists.sourceforge.net X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on chekov.greenie.muc.de X-Spam-Level: X-Spam-Status: No, score=-100.5 required=7.0 tests=BAYES_05, USER_IN_WELCOMELIST autolearn=no autolearn_force=no version=4.0.0 Received: from vmail1.greenie.net (root@vmail1.greenie.net [IPv6:2001:608:1:995a:20c:29ff:feb8:10eb]) by chekov.greenie.muc.de (8.17.1/8.17.1) with ESMTPS id 3A8CnmFh076845 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Wed, 8 Nov 2023 13:49:48 +0100 (CET) (envelope-from gert@chekov.greenie.muc.de) Received: from chekov.greenie.muc.de (chekov.greenie.muc.de [IPv6:2001:608:4:0:0:0:ce:c0f]) by vmail1.greenie.net (8.17.2/8.16.1) with ESMTPS id 3A8Cnmtx058525 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL) for ; Wed, 8 Nov 2023 13:49:48 +0100 (CET) Received: from chekov.greenie.muc.de (localhost [127.0.0.1]) by chekov.greenie.muc.de (8.17.1/8.17.1) with ESMTPS id 3A8CnmXP076835 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Wed, 8 Nov 2023 13:49:48 +0100 (CET) (envelope-from gert@chekov.greenie.muc.de) Received: (from gert@localhost) by chekov.greenie.muc.de (8.17.1/8.17.1/Submit) id 3A8Cnmxx076834 for gert@greenie.muc.de; Wed, 8 Nov 2023 13:49:48 +0100 (CET) (envelope-from gert) From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 8 Nov 2023 13:49:47 +0100 Message-ID: <20231108124947.76816-3-gert@greenie.muc.de> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231108124947.76816-1-gert@greenie.muc.de> References: <20231108124947.76816-1-gert@greenie.muc.de> MIME-Version: 1.0 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.4 (vmail1.greenie.net [IPv6:2001:608:1:995a:20c:29ff:feb8:10eb]); Wed, 08 Nov 2023 13:49:48 +0100 (CET) X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe When I refactored the tls_state_change method in 9a7b95fda5 I accidentally changed a break into a return true while it should return a false. The code here is extremely fragile in the sense that it assumes that settings a keystate to S_ERROR cannot have any outgoing buffer or we will have a use after free. The previous break and now restore [...] Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1r13A8-0006K8-L9 Subject: [Openvpn-devel] [PATCH 3/3] Fix using to_link buffer after freed X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net Sender: "Openvpn-devel" X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1782085508348367419?= X-GMAIL-MSGID: =?utf-8?q?1782085508348367419?= From: Arne Schwabe When I refactored the tls_state_change method in 9a7b95fda5 I accidentally changed a break into a return true while it should return a false. The code here is extremely fragile in the sense that it assumes that settings a keystate to S_ERROR cannot have any outgoing buffer or we will have a use after free. The previous break and now restored return false ensure this by skipping any further tls_process_state loops that might set to ks->S_ERROR and ensure that the to_link is sent out and cleared before having more loops in tls_state_change. CVE: 2023-46850 This affects everyone, even with tls-auth/tls-crypt enabled. Change-Id: I2a0f1c665d992da8e24a421ff0ddcb40f7945ea8 Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index e15f951d6..cee4afe19 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2903,7 +2903,13 @@ tls_process_state(struct tls_multi *multi, CONTROL_SEND_ACK_MAX, true); *to_link = b; dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP"); - return true; + + /* This changed the state of the outgoing buffer. In order to avoid + * running this function again/further and invalidating the key_state + * buffer and accessing the buffer that is now in to_link after it being + * freed for a potential error, we shortcircuit exiting of the outer + * process here. */ + return false; } /* Write incoming ciphertext to TLS object */