From patchwork Fri Nov 14 15:42:23 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 4599 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6d04:b0:7b1:439f:bdf with SMTP id e4csp1622845may; Fri, 14 Nov 2025 07:42:39 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWeq1YYMyquAx3fY6J6ULnW58/z0sc8m4fHxrfdA1KxpuJRgL1IVWBpKmyr8vyP2VED3YtnKWaZI10=@openvpn.net X-Google-Smtp-Source: AGHT+IF4gt5ILwqHV6PQuEzPRye5u+WOVKb6GorprdJAc+GioNr24hldctq0fxBf4ASX3HIjA3+O X-Received: by 2002:a05:6870:e086:b0:3d2:6a9e:29ff with SMTP id 586e51a60fabf-3e868f1a99fmr1672475fac.16.1763134958895; Fri, 14 Nov 2025 07:42:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1763134958; cv=none; d=google.com; s=arc-20240605; b=MtWFmQh0SF9dNz036t7xswMias7tJqEsQ6gkV3IM7UQqRDYs4KA+u3E2mqLL320LS7 r9hvnljaAwAcgJbKUUeMSVK1+BVPcZ6/jgP5wP2Ydm3rkQzV+qtP1A+RP5BISmzUipDZ i1MN+1vhpwtm5E/9a3Y+ZHDwx3yVSjCwmR/B72rqpdOn9IurIXhGfvIh2C73jEfBtsJO pChTFZgdbvu5lPAVopl6uHLTY+jdK6+pJfLSNkLLFPFYAmBIND/3NXHlGPxPC08m31l4 e7nMHqyNGQuNnoV0iYks1EJAlyVHyODIWEOpplltE2vMHuGqt2qcxxmM5MJanP0kPIHL tFug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=KRV8k+PPgh7PK97qEv9bkCASpRSJZCSC14Witjd5NmQ=; fh=ZEXPBGulPSl7EUaTY3HycFQXBXsUXqsTIUocHPz+VuI=; b=hS5p/4Y9dHsTEHonIMcgzCSYyckHUVQK9bURe06BlsNajaEv2tjlqV6thbedsWewnW 2PyoJbuA6AX++7HeZ+/j+vwNCQqzF7N1O3ooa3S7Dx2sCoLpCVHl+dyr5sysB4hWGW8+ gQFH4bTWavifnZ8ryzT3ViwcwL7Ku+WpF9OhQ7r2ih5Gw5c2iIEzuBdAtAp86j+OLmg8 WclJwE+qomGXiiwD6LSSMX6ev/ANFxraSX/6EJAS9T2TzeSXprLNNwhl6Uyw/aR6fVZq fEcjgP69++9ratiqnG5VMtJxY3AJScNIG7du2EJUwGdPbQ6QXL0NvdDR04uPuHe04Qjy 0vcQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=XAlVP1qw; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=afPkvykU; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=QpVDi1DV; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=CxHgIrf+; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7c73a3df398si2091919a34.479.2025.11.14.07.42.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 14 Nov 2025 07:42:38 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=XAlVP1qw; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=afPkvykU; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=QpVDi1DV; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=CxHgIrf+; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-Id:Date:To:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=KRV8k+PPgh7PK97qEv9bkCASpRSJZCSC14Witjd5NmQ=; b=XAlVP1qwistTH0KoKZzCfaJOeB K+cPy5RHYRZU9QhirNXxeaHOcXA0uvMfGv8nqf1azNx07EHnduREbh6gWnrzhXbaQ6acf0YTeVhhq tvXYSUsRmGiApu66/YXEjS91ZONac6XVVi9JsnKFTmEP9MqEV6sttQZ6WbWNJ91UcEHE=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vJvwY-0002Hv-MT; Fri, 14 Nov 2025 15:42:35 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vJvwX-0002Hn-3W for openvpn-devel@lists.sourceforge.net; Fri, 14 Nov 2025 15:42:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=X/1HPyodf8mfBPFTgJof1Vh5JggIFdfhuLKHcgGHj0E=; b=afPkvykU6+J0o1B+qOa+q2xSLR 5N+hQQX7w9hd3svcQ3BR/wiUOIh8ROLHDrLuayOl3xcBwpCvSPHqtlwgvjqClNxodhvo94GG2iplc J9t8AEzIym7pSFNBekfpd5MR7VeKtH6/Q3GXJSS+q6wflPd2iygJtpkLiksdYKHpZIKU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=X/1HPyodf8mfBPFTgJof1Vh5JggIFdfhuLKHcgGHj0E=; b=QpVDi1DVTrjjLvP8teikAJUCub TswUDa1C/Cx2mhhrgUDM8a8LP6Avel4z5eF/tzRmEBuevoob+zkvuSs04/HVZFxd3pyP2blbFr29H AX5EMjTvo6Nj2asn1pUOyjnBXYrd9IZ+3SDDfrU3N8nrc9WmxAimwGnZfB4jusRXezQk=; Received: from mout-p-101.mailbox.org ([80.241.56.151]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vJvwX-0001ou-6K for openvpn-devel@lists.sourceforge.net; Fri, 14 Nov 2025 15:42:33 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4d7LxD5WDwz9smv; Fri, 14 Nov 2025 16:42:24 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1763134944; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=X/1HPyodf8mfBPFTgJof1Vh5JggIFdfhuLKHcgGHj0E=; b=CxHgIrf+j0jBvvUyaog3Ljem4uXH4TAroqZyccJd263Fu5BFqvJao/NJXA7S1iQAze/xHx WnkYh/hnEEGI+en60KaUNU8zVynHuPLCufi7F/Ue/47k7wcLw/ytZ/oiZmHRB1QsgR/RFS xJkJbDEhWwfnTqvkQ+6Z9cZetQo7AzqpMmWiHD13uQN5HaAxkw83VEGPFoSOhDGZ3eAt6y YtbJ9n6ENS0af4WT8VedxUDukfYNvmuqvShaeBo+4TOUtNku+OMY+ZAr9tyTA9zarla+tP D8xDpvDhgZDkqdc9NNifqEKnEn8avTNP5TPXfB6ssq1By1lRP5ZJKzQ6unKmfA== Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of frank@lichtenheld.com designates 2001:67c:2050:b231:465::202 as permitted sender) smtp.mailfrom=frank@lichtenheld.com From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Fri, 14 Nov 2025 16:42:23 +0100 Message-Id: <20251114154223.273047-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Queue-Id: 4d7LxD5WDwz9smv X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Gianmarco De Gregori The code previously read a 32-bit value from a uint8_t buffer using a direct cast and dereference. This can cause unaligned memory access and undefined behavior on architectures that do not support un [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1vJvwX-0001ou-6K Subject: [Openvpn-devel] [PATCH v1] mudp: fix unaligned 32-bit read when parsing peer ID X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Joshua Rogers Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1848781002505973706?= X-GMAIL-MSGID: =?utf-8?q?1848781002505973706?= From: Gianmarco De Gregori The code previously read a 32-bit value from a uint8_t buffer using a direct cast and dereference. This can cause unaligned memory access and undefined behavior on architectures that do not support unaligned reads, potentially leading to a one-packet crash. This patch replaces the unsafe cast with a safe memcpy-based read. Reported-By: Joshua Rogers Found-By: ZeroPath (https://zeropath.com) Change-Id: Id0bb4c45d373437ab8dbaff7a311745f9b538cbf Signed-off-by: Gianmarco De Gregori Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1348 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1348 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 31134be..0653b219 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -209,7 +209,9 @@ /* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */ if (v2) { - uint32_t peer_id = ntohl(*(uint32_t *)ptr) & 0xFFFFFF; + uint32_t tmp; + memcpy(&tmp, ptr, sizeof(tmp)); + uint32_t peer_id = ntohl(tmp) & 0xFFFFFF; peer_id_disabled = (peer_id == MAX_PEER_ID); if (!peer_id_disabled && (peer_id < m->max_clients) && (m->instances[peer_id]))