[Openvpn-devel] [PATCH 1/2 (master)] Don't assert out on receiving too-large control packets (CVE-2017-7478)

Thu, 11 May 2017 09:17:41 -0700 

Commit 3c1b19e0 changed the maximum size of accepted control channel
packets.  This was needed for crypto negotiation (which is needed for a
nice transition to a new default cipher), but exposed a DoS
vulnerability.  The vulnerability was found during the OpenVPN 2.4 code
audit by Quarkslab (commisioned by OSTIF).

To fix the issue, we should not ASSERT() on external input (in this case
the received packet size), but instead gracefully error out and drop the
invalid packet.

Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com>
---
 Changes.rst       | 8 ++++++++
 src/openvpn/ssl.c | 7 ++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/Changes.rst b/Changes.rst
index 3dba7e0..734ef73 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -327,3 +327,11 @@ Bugfixes
 --------
 - Fix memory leak introduced in 2.4.1: if --remote-cert-tls is used, we leaked
   some memory on each TLS (re)negotiation.
+
+Security
+--------
+- Fix a pre-authentication denial-of-service attack on both clients and 
servers.
+  By sending a too-large control packet, OpenVPN 2.4.0 or 2.4.1 can be forced
+  to hit an ASSERT() and stop the process.  If ``--tls-auth`` or 
``--tls-crypt``
+  is used, only attackers that have the ``--tls-auth`` or ``--tls-crypt`` key
+  can mount an attack. (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index b1f0f6b..4fca283 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -3716,7 +3716,12 @@ tls_pre_decrypt(struct tls_multi *multi,
                                 /* Save incoming ciphertext packet to reliable 
buffer */
                                 struct buffer *in = 
reliable_get_buf(ks->rec_reliable);
                                 ASSERT(in);
-                                ASSERT(buf_copy(in, buf));
+                                if(!buf_copy(in, buf))
+                                {
+                                    msg(D_MULTI_DROPPED,
+                                        "Incoming control channel packet too 
big, dropping.");
+                                    goto error;
+                                }
                                 
reliable_mark_active_incoming(ks->rec_reliable, in, id, op);
                             }
 
-- 
2.7.4


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to