Re: [Openvpn-devel] Remote memory corruption

Gert Doering Thu, 21 Sep 2017 16:48:37 -0700

Hi,

On Tue, Aug 15, 2017 at 10:10:32AM +0200, Steffan Karger wrote:
[..]
> To all: following <54fc26bb.2000...@karger.me> and commit 1ce06386, I
> think it really is time to remove key method 1 from the master branch.
> 
> Attached a proposed patch to fix this issue in release/2.4 and master.
> 
> -Steffan


> From f7390bf97af7f1977547586529be1d51adde4c67 Mon Sep 17 00:00:00 2001
> From: Steffan Karger <steffan.kar...@fox-it.com>
> Date: Tue, 15 Aug 2017 10:04:33 +0200
> Subject: [PATCH] CVE-2017-xxx: fix bounds check in read_key()
> 
> The bounds check in read_key() was performed after using the value, instead
> of before.  If 'key-method 1' is used, this allowed an attacker to send a
> malformed packet to trigger a stack buffer overflow.
> 
> Fix this by moving the input validation to before the writes.
> 
> Note that 'key-method 1' has been replaced by 'key method 2' as the default
> in OpenVPN 2.0 (released on 2005-04-17), and explicitly deprecated in 2.4
> and marked for removal in 2.5.  This should limit the amount of users
> impacted by this issue.
> 
> Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com>
> ---
>  src/openvpn/crypto.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
> index cc3c7b6..0ebbcd0 100644
> --- a/src/openvpn/crypto.c
> +++ b/src/openvpn/crypto.c
> @@ -1653,6 +1653,11 @@ read_key(struct key *key, const struct key_type *kt, 
> struct buffer *buf)
>          goto read_err;
>      }
>  
> +    if (cipher_length != kt->cipher_length || hmac_length != kt->hmac_length)
> +    {
> +        goto key_len_err;
> +    }
> +
>      if (!buf_read(buf, key->cipher, cipher_length))
>      {
>          goto read_err;
> @@ -1662,11 +1667,6 @@ read_key(struct key *key, const struct key_type *kt, 
> struct buffer *buf)
>          goto read_err;
>      }
>  
> -    if (cipher_length != kt->cipher_length || hmac_length != kt->hmac_length)
> -    {
> -        goto key_len_err;
> -    }
> -
>      return 1;
>  
>  read_err:

ACK.  Fixes the problem at hand and is generally good housekeeping
to check your things first :-)

Subject: and commit message needs "real" CVE message.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Remote memory corruption

Reply via email to