The patch is fairly straightforward, and got a thorough review from Max
(thanks).
It was reported to us as a security vulnerability, but after some internal
discussion it was decided to not treat it as such, and not assign a CVE -
yes, the server can push a value that will make the client ASSERT() and
exit, but there are many other ways a server can achieve this (like,
push "ping-exit 1"). It can not be used to overflow anything, discover
secrets, execute code on the client, etc., and it can also not be used
by a non-trusted third party or by a client to crash a server.
Your patch has been applied to the master and release/2.7 branch (bugfix).
I think the fix should go to release/2.6 as well (bugfix), but since the
atoi_constrained() infrastructure is not there, the options.c patch does
not apply "as is" (the forward.c likely would).
commit aca8546df6b04afee275b78f92f5564f5590f76a (master)
commit b2d92f17b5c956346b951e21f216d0dae8f1239d (release/2.7)
Author: Arne Schwabe
Date: Fri Jun 5 20:09:25 2026 +0200
Ensure pushed tun-mtu is no lower than TUN_MTU_MIN
Signed-off-by: Arne Schwabe <[email protected]>
Acked-by: MaxF <[email protected]>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1707
Message-Id: <[email protected]>
URL:
https://www.mail-archive.com/[email protected]/msg37069.html
Signed-off-by: Gert Doering <[email protected]>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
