From patchwork Wed Nov 15 10:33:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3433 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:3c06:b0:f2:62eb:61c1 with SMTP id e6csp2817207dys; Wed, 15 Nov 2023 02:34:34 -0800 (PST) X-Google-Smtp-Source: AGHT+IE2ZJyo8Y+AOXulnBa54qoHpliJRj8suSuaZAKi/fnEEnX7qhbsrab62vtoah39gbk+XrOE X-Received: by 2002:a05:6830:700e:b0:6bf:5010:9d35 with SMTP id ei14-20020a056830700e00b006bf50109d35mr6153142otb.3.1700044473769; Wed, 15 Nov 2023 02:34:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700044473; cv=none; d=google.com; s=arc-20160816; b=uWElFgr/rn97G9puK/sDE7PctjajXb1FV46MscHYb8bC5U6r2oyfeIWrTflj3PctUh 5d4fit4VDuLsWByNY5qJbB5NkFGkn0BNOxUWlkOrZQAubDFyHlDdaF/78wkCPOYYYJSK EU4Lay0inCPugMl2bqAgl/m2xlelSbyFz/dq5ajAVrshMHBo6fmOliesB0nt3KO1udR9 BpnvZ2cL8t/KIWbeuK/dM4SpDanTNo70VlAh8jTDDLRGA6yQyvuYp7ONLL9ZkXDWb0LS dwlljmd352RHXAcU9YhSTPrUjVvnUiwgFRA/GFn118BEf4ikMZJXY6sGFFWC0Cp2GhgE BRvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=LObabTIC3KFJuW6WXPcxIo7qanTBSAZv34zfF113wBM=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=qCBhTdLyEtTL/ARHXos31HNaYoPn4hUOjxV3qz/fzFKbNK3GPmNc6Nl5dz74lxxbTS l21WLnw/9qINPcvTX5yYtAvLExtFx2WaHsIr2oGWbDQVcnioiNTdDK0uyQrWM+pFmf87 Pua7PFTQ4dZttIS8UzjtbxMi9AqRYjhvci3qnTaZ6nb5NSESbLiKR0j6eg7izeD9smGO kKqSBFmebfVNHY/kWINwsOwfzBZQ+CnvGyAQYDTQYKr4jQ+0dvUmx5/nZo+aYdnYdojL 6einoc02DqnrQXCR2zL56iVWe8CeHC+0K5TD99Bgste4Y0v3Seo9yg/73HBP388mudiS C0jw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=kDqs49Js; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VZv0B6bM; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id ca33-20020a056a0206a100b005b92edaa151si10942647pgb.739.2023.11.15.02.34.33 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Nov 2023 02:34:33 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=kDqs49Js; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VZv0B6bM; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1r3DDQ-000796-Nx; Wed, 15 Nov 2023 10:33:47 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1r3DDO-00078z-HG for openvpn-devel@lists.sourceforge.net; Wed, 15 Nov 2023 10:33:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=2nNqq7xOF5SOz7gu5PzQUOIcW2C2QWsTKa1vOrMQaPY=; b=kDqs49JseuZJqPcmWNA3Sy4kZG iQQnY4gpUI0+YSOvaHvTj/jSwjNhXFmSVgkg6YU2eoyuhQ27fv3PaRmD77HhjWodwc2JkWboBfARn VuI96xS9ptodtslHT+xNUgsL25o17o0iQ5EeU5Puj3gI3hr0Hg2t9NZzNmsoLhOxgfVU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=2nNqq7xOF5SOz7gu5PzQUOIcW2C2QWsTKa1vOrMQaPY=; b=VZv0B6bMqUkDtW7VYTs7C6MAjX 0g8eusLmRoIvZWaWImqWpBFJTfDgCCm9ezqBqnjgcGg+R/sZXuSIg8dZBnzbBSxBQ8O6/VHTttXY3 VF0Ns2lalxfywJslCJ00cNVXwFeZcOm/3unRS+pZUzXgYPwy3fW6RElx+oPw4v39sf8I=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1r3DDL-006LGD-FH for openvpn-devel@lists.sourceforge.net; Wed, 15 Nov 2023 10:33:45 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 3AFAXWi0018081 for ; Wed, 15 Nov 2023 11:33:32 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 3AFAXWRK018061 for openvpn-devel@lists.sourceforge.net; Wed, 15 Nov 2023 11:33:32 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 15 Nov 2023 11:33:31 +0100 Message-ID: <20231115103331.18050-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe When a key_state is in S_UNDEF the send_reliable is not initialised. So checking it might access invalid memory or null pointers. Github: fixes OpenVPN/openvpn#449 Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1r3DDL-006LGD-FH Subject: [Openvpn-devel] [PATCH v2] Do not check key_state buffers that are in S_UNDEF state X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1782625833899558101?= X-GMAIL-MSGID: =?utf-8?q?1782625833899558101?= From: Arne Schwabe When a key_state is in S_UNDEF the send_reliable is not initialised. So checking it might access invalid memory or null pointers. Github: fixes OpenVPN/openvpn#449 Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac [a@unstable.cc: add check for !send_reliable and message] Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/426 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index cee4afe..b4cd8f5 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3189,6 +3189,22 @@ for (int i = 0; i < KS_SIZE; i++) { struct key_state *ks = &session->key[i]; + if (ks->state == S_UNDEF) + { + continue; + } + + /* we don't expect send_reliable to be NULL when state is + * not S_UNDEF, but people have reported crashes nonetheless, + * therefore we better catch this event, report and exit. + */ + if (!ks->send_reliable) + { + msg(M_FATAL, "ERROR: session->key[%d]->send_reliable is NULL " + "while key state is %s. Exiting.", + i, state_name(ks->state)); + } + for (int j = 0; j < ks->send_reliable->size; j++) { if (ks->send_reliable->array[i].buf.data == dataptr)