diff options
author | Steffan Karger | 2017-05-22 15:54:13 +0200 |
---|---|---|
committer | Gert Doering | 2017-06-13 09:36:10 +0200 |
commit | e6bf7e033d063535a4414a4cf49c8f367ecdbb4f (patch) | |
tree | 1c25b10db88a8c6a777d126f260a899e4823d4b0 | |
parent | 534c8f24bd8ceeaebb326f53363a4e40e970df1e (diff) | |
download | openvpn-e6bf7e033d063535a4414a4cf49c8f367ecdbb4f.zip openvpn-e6bf7e033d063535a4414a4cf49c8f367ecdbb4f.tar.gz |
openssl: fix overflow check for long --tls-cipher option
The length check in tls_ctx_restrict_ciphers() did not check for overflow,
which could lead to a stack buffer overflow.
This has no real-world impact, because --tls-cipher can only be specified
by entities that are allowed to supply config settings. Since those
entities can also change --script-security and call scripts and/or
plugins, these users already have code execution at the level of the
openvpn process. In other words: the attacker would not gain any
capabilities. Nevertheless, a nasty bug that we should fix.
This bug was discovered and reported to the OpenVPN security team by
Guido Vranken.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1495461253-20111-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14716.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
-rw-r--r-- | src/openvpn/ssl_openssl.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 645ccf5..73c07e3 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -352,7 +352,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) } /* Make sure new cipher name fits in cipher string */ - if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) < current_cipher_len) + if ((SIZE_MAX - openssl_ciphers_len) < current_cipher_len + || ((sizeof(openssl_ciphers)-1) < openssl_ciphers_len + current_cipher_len)) { msg(M_FATAL, "Failed to set restricted TLS cipher list, too long (>%d).", |