From patchwork Tue Mar 19 14:09:39 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lev Stipakov <lstipakov@gmail.com>
X-Patchwork-Id: 3656
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:f20a:b0:55c:c090:46f0 with SMTP id
 sk10csp1923423mab;
        Tue, 19 Mar 2024 07:12:11 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCVnRg+sdXDb/LSrXVVpNy9ll8x9AMw8Iqggm4/T9vE1fDji0Sea7KP19WqzYrcWl5/CAOaa/V8hsuCTu5DgJZtzUAa0MTY=
X-Google-Smtp-Source: 
 AGHT+IGyKgVrLlUQtOKq+LD3x0w5NPmJGWsVZ/48q1cDzk5J1knrkIxeRWZKREOenpe6xM5O09rA
X-Received: by 2002:a05:6a21:78a7:b0:1a1:4de6:dd5c with SMTP id
 bf39-20020a056a2178a700b001a14de6dd5cmr2599860pzc.2.1710857530884;
        Tue, 19 Mar 2024 07:12:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1710857530; cv=none;
        d=google.com; s=arc-20160816;
        b=QtW+8RsFI/0amnS1AtmT8Gheh7v8IBq5AjmZ26awp1MMvM4uSoFAOOPxZxIQKFjEwA
         aDN2BXD0xXNViGWeXql9oXrW/SJJG6/ocaWaO875p7jwsmKo9nJqH9wauXcnyle+3l0b
         7V4BvwAjrZXmoCZZeZdlIEYCexMskyvefombm+7uTrDjaQ02HrcrlHbs2tUANiL8VF0P
         Vym/ZbFTMuAa78JUfD4sE1JtpDJ1h9BQqUjDAH/UP91mfBDxy+8X+8qqTlhSsJH5argm
         OA9/NBkbClP4cVVH9nvFEvjii8RDpvWu0t0m8aptC80WFhBdxxHxjbwEvfYS5m3IgWCO
         EcEQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:message-id:date:to:from:dkim-signature:dkim-signature
         :dkim-signature;
        bh=bK3DY172p29vi3kxbVHDDfFkB7RlVrI8eYive6p/qCA=;
        fh=JQtvQMdY0aU81u1PtOJ6Ar75S/5wsLS1L5pTmOy/Wzo=;
        b=y1smUi1DdnZvuRCa0a8K9DAfjT6yEVl1sSDjcXVNFO+tLaDtsbhji1dmZOpQ6w6xPK
         qBvPcrLIN6kdG/ZcPSrY1QFeuasTH7c8bMQsVrFPpNcnmHRcdRhehXM84NloF1CqXmZu
         dIyjsHJvxR/Ru8/8VfoRQCzlCQvri2ZEbTXBn6EMoY7SUowsd6LzEjqDLqQMMS/SHTPb
         zcEOHc24eKTImj0FHK+sgT+LGXj1u7culNPOlMSg836v2NROBkahz6AA8BAtrWIeGyYw
         n6DL9WE1GuBcK79QRkd1KR0IUJuu5ZRaR1pbq6T2O0R7sz9eJh8Ds6tegr4WnP0PfxT0
         sUtw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=DfSFsHHE;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=RsfBTUU5;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20230601 header.b=OuEgOGx1;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 17-20020a630e51000000b005d795f96f31si10171666pgo.152.2024.03.19.07.12.10
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 19 Mar 2024 07:12:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=DfSFsHHE;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=RsfBTUU5;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20230601 header.b=OuEgOGx1;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com)
	by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1rmaBz-0007R4-MW;
	Tue, 19 Mar 2024 14:11:52 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <lstipakov@gmail.com>) id 1rmaBx-0007Qy-EC
 for openvpn-devel@lists.sourceforge.net;
 Tue, 19 Mar 2024 14:11:49 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=k+8gOvNHF0s4ZCdowrilZOaqxh/d3DGpUZTqHUwGAU4=; b=DfSFsHHEN1hOKih1jRbadFT56r
 EyJB8HMLaWOKLcRZB3ABXW+Fdw/Ku0Ja1qzg+nofzyib3IHit/q+ziu8sEHPcidCCKA9OpxOwzGW9
 MV3B3JYxL3/TFqea+fzYFQEOfEEPY8Xp2KQMk3QhcwfA0orbO0OgKGF860ki01tIC1tc=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc:To:From
 :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
 References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=k+8gOvNHF0s4ZCdowrilZOaqxh/d3DGpUZTqHUwGAU4=; b=R
 sfBTUU5v4Rr6mOdVn0Db234SwrJaZmzkMokviEw1pcSBXdrXu52jzUKr03gURHgLW4tS2Pt/KKlIx
 a/YT8bvlwIl6uRhCD09GgBh9dRysPdVsA24+6Mv22kTqeFDCRlopTRwNWRF2nki+Z86i5y55OZoq8
 8+0JCxFMVCP0Senc=;
Received: from mail-pf1-f170.google.com ([209.85.210.170])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
 id 1rmaBp-0001E6-I8 for openvpn-devel@lists.sourceforge.net;
 Tue, 19 Mar 2024 14:11:49 +0000
Received: by mail-pf1-f170.google.com with SMTP id
 d2e1a72fcca58-6e6ca2ac094so5035744b3a.0
 for <openvpn-devel@lists.sourceforge.net>;
 Tue, 19 Mar 2024 07:11:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1710857503; x=1711462303;
 darn=lists.sourceforge.net;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=k+8gOvNHF0s4ZCdowrilZOaqxh/d3DGpUZTqHUwGAU4=;
 b=OuEgOGx1TGWr+B5Zm6P0+HndlrHxz3JgvCXm7tLF+pHPJI8SUALT7GacgFO7nPovrK
 DBcDpxIhhZVvUtyct8mxeiHcQ/fTY++eIcqVGWSkJYokF4YVdZp4qGiFHn2Zu6Dy7PhG
 sLK7Ogg+QDva5+TMjyatfz5mmRLcDq2yPB1D4o16j2NtSfiZQlXaKOX767e638xoLbx8
 b5T0D3AiNcW8oOGt3S1xjIk9N9DCdrUqdKOv+v+Oh8Hd+zemQ76cABIw2diBCCZw+txr
 fU69AZ5ilYIsd/nILwKU9nhPNDq6kJptWsxYuYoUG6sF+FB49nkgS2nE3wOW9yYv5Lkx
 tnOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1710857503; x=1711462303;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=k+8gOvNHF0s4ZCdowrilZOaqxh/d3DGpUZTqHUwGAU4=;
 b=xEar/p6ah7DnB3HTd90PLFBCkUWsAxnpI/weEZKq08nss5W2fRf/vbDOqq8ZXmSqhi
 23hxTrYoGuUYKioDW8b8hVJKWNc6FV46zEfT5bT3kdn8R+6qFCbgWmqYkO/rXNJUfXFl
 IufNJ7DlVGBX+8FZTgMRQs9xjsECtQiqDBigzhMrv3AlLba6BIet+3Q5NuWEkKdICww2
 VA5S1w0OxicebBbZ3evNy5mJWzBclI6aDjm232NrGOaIQ/Fx1StihfL8F7AGiS2QFiR4
 /3OpeUiSDhvrM3NGRstAn+oHJcJYTjQMXH607enzPZfnWYoRJTzPVBA4ejdXaoaZujJH
 BxYQ==
X-Gm-Message-State: AOJu0YxfESOmlEf1BV+g3+SPWJmyJxC8wLNGiMV7TtnBgLAns2zf/hAd
 4G9mMmRNm3pC29KOugNwusQbr6ypphPhkLmGh1tL2Za+329KBvuGkEblGP1Wscg=
X-Received: by 2002:aa7:88cf:0:b0:6e7:2154:72ec with SMTP id
 k15-20020aa788cf000000b006e7215472ecmr3099306pff.17.1710857502893;
 Tue, 19 Mar 2024 07:11:42 -0700 (PDT)
Received: from localhost.localdomain ([2a00:1d50:3:0:21d0:d153:5fa3:f06b])
 by smtp.gmail.com with ESMTPSA id
 x14-20020a056a00270e00b006e567c81d14sm9709718pfv.43.2024.03.19.07.11.41
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 19 Mar 2024 07:11:42 -0700 (PDT)
From: Lev Stipakov <lstipakov@gmail.com>
X-Google-Original-From: Lev Stipakov <lev@openvpn.net>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 19 Mar 2024 16:09:39 +0200
Message-ID: <20240319140957.2033-3-lev@openvpn.net>
X-Mailer: git-send-email 2.42.0.windows.2
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  When reading message from the pipe, we first peek the pipe
 to get the size of the message waiting to be read and then read the message.
 A compromised OpenVPN process could send an excessively large me [...]
 Content analysis details:   (-0.2 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider [lstipakov[at]gmail.com]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [209.85.210.170 listed in wl.mailspike.net]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.210.170 listed in list.dnswl.org]
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Headers-End: 1rmaBp-0001E6-I8
Subject: [Openvpn-devel] [PATCH] interactive.c: Fix potential stack overflow
 issue
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Cc: Lev Stipakov <lev@openvpn.net>, Heiko Hund <heiko@openvpn.net>,
 Vladimir Tokarev <vtokarev@microsoft.com>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1793964145870800193?=
X-GMAIL-MSGID: =?utf-8?q?1793964145870800193?=

When reading message from the pipe, we first peek the pipe to get the size
of the message waiting to be read and then read the message. A compromised
OpenVPN process could send an excessively large message, which would result
in a stack-allocated message buffer overflow.

To address this, we terminate the misbehaving process if the peeked message
size exceeds the maximum allowable size.

Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
Change-Id: Ib5743cba0741ea11f9ee62c4978b2c6789b81ada
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Heiko Hund <heiko@openvpn.net>
---

 src/openvpnserv/interactive.c | 35 +++++++++++++++++++++--------------
 1 file changed, 21 insertions(+), 14 deletions(-)

diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 32c8996c..24e3f341 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -106,6 +106,18 @@ typedef struct {
     struct tun_ring *receive_ring;
 } ring_buffer_maps_t;
 
+typedef union {
+    message_header_t header;
+    address_message_t address;
+    route_message_t route;
+    flush_neighbors_message_t flush_neighbors;
+    block_dns_message_t block_dns;
+    dns_cfg_message_t dns;
+    enable_dhcp_message_t dhcp;
+    register_ring_buffers_message_t rrb;
+    set_mtu_message_t mtu;
+    wins_cfg_message_t wins;
+} pipe_message_t;
 
 static DWORD
 AddListItem(list_item_t **pfirst, LPVOID data)
@@ -1610,19 +1622,7 @@ static VOID
 HandleMessage(HANDLE pipe, HANDLE ovpn_proc,
               DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists)
 {
-    DWORD read;
-    union {
-        message_header_t header;
-        address_message_t address;
-        route_message_t route;
-        flush_neighbors_message_t flush_neighbors;
-        block_dns_message_t block_dns;
-        dns_cfg_message_t dns;
-        enable_dhcp_message_t dhcp;
-        register_ring_buffers_message_t rrb;
-        set_mtu_message_t mtu;
-        wins_cfg_message_t wins;
-    } msg;
+    pipe_message_t msg;
     ack_message_t ack = {
         .header = {
             .type = msg_acknowledgement,
@@ -1632,7 +1632,7 @@ HandleMessage(HANDLE pipe, HANDLE ovpn_proc,
         .error_number = ERROR_MESSAGE_DATA
     };
 
-    read = ReadPipeAsync(pipe, &msg, bytes, count, events);
+    DWORD read = ReadPipeAsync(pipe, &msg, bytes, count, events);
     if (read != bytes || read < sizeof(msg.header) || read != msg.header.size)
     {
         goto out;
@@ -2059,6 +2059,13 @@ RunOpenvpn(LPVOID p)
             break;
         }
 
+        if (bytes > sizeof(pipe_message_t))
+        {
+            /* process at the other side of the pipe is misbehaving, shut it down */
+            MsgToEventLog(MSG_FLAGS_ERROR, TEXT("OpenVPN process sent too large payload length to the pipe (%lu bytes), it will be terminated"), bytes);
+            break;
+        }
+
         HandleMessage(ovpn_pipe, proc_info.hProcess, bytes, 1, &exit_event, &undo_lists);
     }