diff options
| author | Steffan Karger <steffan.karger@fox-it.com> | 2014-11-20 13:43:05 +0100 |
|---|---|---|
| committer | Gert Doering <gert@greenie.muc.de> | 2014-11-28 20:28:53 +0100 |
| commit | c5590a6821e37f3b29735f55eb0c2b9c0924138c (patch) | |
| tree | d8750d54bdcd1af8dc8f18bac6e0cb8b3caa75ea /src | |
| parent | 65eedc353349d2967fc03c54da807727e416e1b0 (diff) | |
| download | openvpn-c5590a6821e37f3b29735f55eb0c2b9c0924138c.tar.gz openvpn-c5590a6821e37f3b29735f55eb0c2b9c0924138c.tar.xz openvpn-c5590a6821e37f3b29735f55eb0c2b9c0924138c.zip | |
Drop too-short control channel packets instead of asserting out.
This fixes a denial-of-service vulnerability where an authenticated client
could stop the server by triggering a server-side ASSERT().
OpenVPN would previously ASSERT() that control channel packets have a
payload of at least 4 bytes. An authenticated client could trigger this
assert by sending a too-short control channel packet to the server.
Thanks to Dragana Damjanovic for reporting the issue.
This bug has been assigned CVE-2014-8104.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1CED409804E2164C8104F9E623B08B9018803B0FE7@FOXDFT02.FOX.local>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src')
| -rw-r--r-- | src/openvpn/ssl.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 2adfa26..cdc8eb1 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2036,7 +2036,11 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi ASSERT (session->opt->key_method == 2); /* discard leading uint32 */ - ASSERT (buf_advance (buf, 4)); + if (!buf_advance (buf, 4)) { + msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", + buf->len); + goto error; + } /* get key method */ key_method_flags = buf_read_u8 (buf); |