diff options
| author | Lev Stipakov | 2024-03-20 10:19:45 +0200 |
|---|---|---|
| committer | Gert Doering | 2024-03-20 09:41:55 +0100 |
| commit | d29496cce2d91a74706e3d5e4c48773715b10812 (patch) | |
| tree | 0b0763fa75950295b9238e908248289954baea24 | |
| parent | e0775c042c7908a9b315da8092b436d03abea08a (diff) | |
| download | openvpn-d29496cce2d91a74706e3d5e4c48773715b10812.zip openvpn-d29496cce2d91a74706e3d5e4c48773715b10812.tar.gz | |
interactive.c: Fix potential stack overflow issue
When reading message from the pipe, we first peek the pipe to get the size
of the message waiting to be read and then read the message. A compromised
OpenVPN process could send an excessively large message, which would result
in a stack-allocated message buffer overflow.
To address this, we terminate the misbehaving process if the peeked message
size exceeds the maximum allowable size.
This commit is backported from 9b2693f in release/2.6 branch, fixing
merge conflicts around &ring_buffer_handles and wins_cfg_message_t.
CVE: 2024-27459
Microsoft case number: 85932
Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
Change-Id: Ib5743cba0741ea11f9ee62c4978b2c6789b81ada
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Heiko Hund <heiko@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240320082000.284-2-lev@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28433.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
| -rw-r--r-- | src/openvpnserv/interactive.c | 33 |
1 files changed, 20 insertions, 13 deletions
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 5e3ff12..933b5c8 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -111,6 +111,17 @@ typedef struct { HANDLE device; } ring_buffer_handles_t; +typedef union { + message_header_t header; + address_message_t address; + route_message_t route; + flush_neighbors_message_t flush_neighbors; + block_dns_message_t block_dns; + dns_cfg_message_t dns; + enable_dhcp_message_t dhcp; + register_ring_buffers_message_t rrb; + set_mtu_message_t mtu; +} pipe_message_t; static DWORD AddListItem(list_item_t **pfirst, LPVOID data) @@ -1444,18 +1455,7 @@ static VOID HandleMessage(HANDLE pipe, HANDLE ovpn_proc, ring_buffer_handles_t *ring_buffer_handles, DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists) { - DWORD read; - union { - message_header_t header; - address_message_t address; - route_message_t route; - flush_neighbors_message_t flush_neighbors; - block_dns_message_t block_dns; - dns_cfg_message_t dns; - enable_dhcp_message_t dhcp; - register_ring_buffers_message_t rrb; - set_mtu_message_t mtu; - } msg; + pipe_message_t msg; ack_message_t ack = { .header = { .type = msg_acknowledgement, @@ -1465,7 +1465,7 @@ HandleMessage(HANDLE pipe, HANDLE ovpn_proc, ring_buffer_handles_t *ring_buffer_ .error_number = ERROR_MESSAGE_DATA }; - read = ReadPipeAsync(pipe, &msg, bytes, count, events); + DWORD read = ReadPipeAsync(pipe, &msg, bytes, count, events); if (read != bytes || read < sizeof(msg.header) || read != msg.header.size) { goto out; @@ -1884,6 +1884,13 @@ RunOpenvpn(LPVOID p) break; } + if (bytes > sizeof(pipe_message_t)) + { + /* process at the other side of the pipe is misbehaving, shut it down */ + MsgToEventLog(MSG_FLAGS_ERROR, TEXT("OpenVPN process sent too large payload length to the pipe (%lu bytes), it will be terminated"), bytes); + break; + } + HandleMessage(ovpn_pipe, proc_info.hProcess, &ring_buffer_handles, bytes, 1, &exit_event, &undo_lists); } |