From patchwork Wed Dec 10 10:48:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4676 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:8508:b0:7b1:439f:bdf with SMTP id w8csp29837max; Wed, 10 Dec 2025 02:48:58 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXHv0pGO7Z66ZjTexBLsTlfZONxYXSrtphaJRGAkB3jzDLtDI30SdlD8Q1XedY22dJXBYlUNQ4LiTo=@openvpn.net X-Google-Smtp-Source: AGHT+IE3mX03phrtcDUoaWiIzVf4NAQurwJ1SgIrs4i8RJ6w1ENi1hKODCoNaZoIYZ6CwAJFjyJr X-Received: by 2002:a05:6870:d29d:b0:3ec:3685:34a1 with SMTP id 586e51a60fabf-3f5bd8a83dcmr1365571fac.25.1765363738191; Wed, 10 Dec 2025 02:48:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1765363738; cv=none; d=google.com; s=arc-20240605; b=b0laiNYh3pF6cXXdcLO1oeqBWSyra/vsudVdtS3P4oUtIF7S8tdz1MekCnq67VoJ4T QTr8si5g7P6hRQC5VOh1r3AgGIgbhvYfCjswkTJvlF9CcuOCGOSZ+izvezZ+mt0AW/46 7WNhbsSRbXlBLHF/zUsYybFjm8O5eEQxoXnqt4vBiiIA6Af+oTeAHjohbaq/CZcX2C0X IcDoWhNwNO3w2qgq1G6WiaTPG1DZ0IBHmTBQlnGQxCOgvqanv4O5+xUH4yNJuv8lbSXv oNDxbHHujnkaJaKymUG6VHGVJ1BLL6GyvFuQLBvUalSpsXr0b2EOQfKTsLF0poRs9oyA VawQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=VIjSLvVmyAO7A1kgVITI+5rDbmPy+rESscqkSrGc16Q=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=CBuvvjdHVjFfxlMfm1tEhly+lFawn9Wb55SJSVUPFYeAdlw2HqWhcS2gEA14jnWuLK G7oH/BLcMx++r0RLhXQYO3yFQ09OqNYIt/G7/y2XNMLanqxTANxkP4IWDd+0eVXrc98f qv0s4brS2lkhrNKFHsC1JBdbTGDAzOHhAkwybTN1Qv8IVBzhvgNi7Z27kSy44WRVBhUr OG/heO0uPf8cT9/4b8adY3jEnK6aHXQ7LKKcM7ZKl5BQ/aFEYBJi2gkHvT9T14jZAwZ4 rnYfxJa8kxKwGAttxPD1fIe5h2JcGKaieJqmsQnrIcALUuz10faxSKNqKyRqPAz1d1nk JMPA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=AxHoeM7h; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=dW12XoCm; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=l7gHQ2vo; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-3f50b50d966si11683320fac.326.2025.12.10.02.48.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Dec 2025 02:48:58 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=AxHoeM7h; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=dW12XoCm; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=l7gHQ2vo; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=VIjSLvVmyAO7A1kgVITI+5rDbmPy+rESscqkSrGc16Q=; b=AxHoeM7hi43ktfDVdV8jXM73LY 2bv/KGnocQyBfjxLBp8+tLZcx2/uJfm1uEtM0xE7jdBEyT8K8bZ0+UxeJ0zFearnEC2Mfemr8xDSE dIHOLmy3f0jrX4k1giLsFChCUQHGh0s/s1hF0Q6Fmrpf4zd9Hv+IWdbCvafgvR4vdqJQ=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vTHkd-0008Sf-81; Wed, 10 Dec 2025 10:48:55 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vTHkb-0008SV-IL for openvpn-devel@lists.sourceforge.net; Wed, 10 Dec 2025 10:48:53 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=of0tduzIUKz1WP8y3G+yvsDXiXRU78gAp0t2W2jNqic=; b=dW12XoCmIKRkaqPfSYlRKqC20T ZuK518gPQ5Fc0+i5h3bjLZWKbhz6uV1+7uZcFLTCQ7V7RwOLPROJ3XY6e1EKxEjkzxov1hiTgYA8c Dyc+1RRlTyl5+voBGUawAGQAhyYTgMGr3aFstJEAjHQLWqXgfNX2NnV8dxF8GqoveO74=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=of0tduzIUKz1WP8y3G+yvsDXiXRU78gAp0t2W2jNqic=; b=l7gHQ2voqFWI6VwtQT+WXna3F3 NkWUufYDBydFVo/uXlZbn6/b4nypPLk6EYnn4NZMQBwUBKMSUyDt8XDXnTV1B8pQ/3cjp33YGq7By IVD745zFxvj9WxainT5OYGQBKrOhJqMu/T2p/sM3DqNva1OJCyMfYgzzFhBBlGh6bl00=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vTHka-0001lp-9F for openvpn-devel@lists.sourceforge.net; Wed, 10 Dec 2025 10:48:53 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5BAAmeII008285 for ; Wed, 10 Dec 2025 11:48:40 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5BAAmeK6008284 for openvpn-devel@lists.sourceforge.net; Wed, 10 Dec 2025 11:48:40 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 10 Dec 2025 11:48:33 +0100 Message-ID: <20251210104839.8270-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Gianmarco De Gregori The code previously read a 32-bit value from a uint8_t buffer using a direct cast and dereference. This can cause unaligned memory access and undefined behavior on architectures that do not support un [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [193.149.48.134 listed in list.dnswl.org] 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vTHka-0001lp-9F Subject: [Openvpn-devel] [PATCH v3] mudp: fix unaligned 32-bit read when parsing peer ID X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1848781002505973706?= X-GMAIL-MSGID: =?utf-8?q?1851118047397082184?= From: Gianmarco De Gregori The code previously read a 32-bit value from a uint8_t buffer using a direct cast and dereference. This can cause unaligned memory access and undefined behavior on architectures that do not support unaligned reads, potentially leading to a one-packet crash. Fix this by reading the bytes individually and combining them manually. Reported-By: Joshua Rogers Found-By: ZeroPath (https://zeropath.com) Change-Id: Id0bb4c45d373437ab8dbaff7a311745f9b538cbf Signed-off-by: Gianmarco De Gregori Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1348 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1348 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index b03e165..5de3af6 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -209,7 +209,7 @@ /* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */ if (v2) { - uint32_t peer_id = ntohl(*(uint32_t *)ptr) & 0xFFFFFF; + uint32_t peer_id = ((uint32_t)ptr[1] << 16) | ((uint32_t)ptr[2] << 8) | ((uint32_t)ptr[3]); peer_id_disabled = (peer_id == MAX_PEER_ID); if (!peer_id_disabled && (peer_id < m->max_clients) && (m->instances[peer_id]))