Hi, most patches that went into the tree today came to me by git-send-email, so I could re-send them to the list after embargo, and message-id:s referenced in the code match between mailing list, git tree, and in-reply-to in the ACK mail.
One patch came as a patch attached to a longer mail that I do not want
to bounce "as is" to the list - so here's the patch that originally came
to me as
Message-Id:
<CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=c62dzaxn32w...@mail.gmail.com>
and is referenced as such, plus my ACK-and-merge mail, both as attachments.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
From 83694284a1b7918fdf55c2e4ebebce2126bd92fa Mon Sep 17 00:00:00 2001
From: Guido Vranken <guidovran...@gmail.com>
Date: Fri, 19 May 2017 14:04:25 +0200
Subject: [PATCH] Prevent two kinds of stack buffer OOB reads and a crash for
invalid input data
Signed-off-by: Guido Vranken <guidovran...@gmail.com>
---
src/openvpn/ntlm.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
index 0c43681..bb8679f 100644
--- a/src/openvpn/ntlm.c
+++ b/src/openvpn/ntlm.c
@@ -197,7 +197,7 @@ ntlm_phase_3(const struct http_proxy_info *p, const char
*phase_2, struct gc_are
*/
char pwbuf[sizeof(p->up.password) * 2]; /* for unicode password */
- char buf2[128]; /* decoded reply from proxy */
+ unsigned char buf2[128]; /* decoded reply from proxy */
unsigned char phase3[464];
char md4_hash[MD4_DIGEST_LENGTH+5];
@@ -303,7 +303,13 @@ ntlm_phase_3(const struct http_proxy_info *p, const char
*phase_2, struct gc_are
tib_len = 96;
}
{
- char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target
Information block pointer */
+ char *tib_ptr;
+ int tib_pos = buf2[0x2c];
+ if (tib_pos + tib_len > sizeof(buf2))
+ {
+ return NULL;
+ }
+ tib_ptr = buf2 + tib_pos; /* Get
Target Information block pointer */
memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /*
Copy Target Information block into the blob */
}
}
--
2.1.4
From: Gert Doering <g...@greenie.muc.de>
To: Guido Vranken <guidovran...@gmail.com>
Cc: openvpn-devel@lists.sourceforge.net
Subject: [PATCH applied] Re: Prevent two kinds of stack buffer OOB reads and a
crash for invalid input data
In-Reply-To:
<CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=c62dzaxn32w...@mail.gmail.com>
References: <CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=c62dzaxn32w...@mail.gmail.com>
ACK.
Your patch has been applied to the master, release/2.4, 2.3 and 2.2 branch.
commit 7718c8984f04b507c1885f363970e2124e3c6c77 (master)
commit 043fe327878eba75efa13794c9845f85c3c629f2 (release/2.4)
commit f38a4a105979b87ebebe9be1c3d323116d3fb924 (release/2.3)
commit 4bec9d25d519a56bc40458e947d3dfa964b82b13 (release/2.2)
Author: Guido Vranken
Date: Fri May 19 14:04:25 2017 +0200
Prevent two kinds of stack buffer OOB reads and a crash for invalid input
data
CVE: 2017-7520
Signed-off-by: Guido Vranken <guidovran...@gmail.com>
Acked-by: Gert Doering <g...@greenie.muc.de>
Message-Id:
<CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=c62dzaxn32w...@mail.gmail.com>
URL:
https://www.mail-archive.com/search?l=mid&q=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=c62dzaxn32w...@mail.gmail.com
Signed-off-by: Gert Doering <g...@greenie.muc.de>
--
kind regards,
Gert Doering
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
