From: rootvector2 <[email protected]>

Github: OpenVPN/openvpn#1044

This has also been reported twice as a security relevant bug, but
only later than the original finding - and it isn't.

While --client-nat would modify a 32bit integer "after the packet"
(the place where an IPv4 address would be, in a well-formed packet),
the underlying buffer is always max-frame sized, and we never look
at the "modified integer" afterwards, so there are no consequences
warranting allocation of a CVE ID.

Signed-off-by: rootvector2 <[email protected]>
Acked-by: Arne Schwabe <[email protected]>
Acked-by: Antonio Quartulli <[email protected]>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1789
Reported-By: 章鱼哥 (www.aipyaipy.com)
Reported-By: Yu Zhang Wong <[email protected]>
Change-Id: I8219c6295acf28ff10ddb2fcc285f813c42fa8fe
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1789
This mail reflects revision 2 of this Change.

Acked-by according to Gerrit (reflected above):
Arne Schwabe <[email protected]>
Antonio Quartulli <[email protected]>

        
diff --git a/src/openvpn/proto.c b/src/openvpn/proto.c
index 13fe0a5..785c021 100644
--- a/src/openvpn/proto.c
+++ b/src/openvpn/proto.c
@@ -70,7 +70,7 @@
         if (proto == htons(OPENVPN_ETH_P_8021Q))
         {
             const struct openvpn_8021qhdr *evh;
-            if (BLENZ(buf) < sizeof(struct openvpn_ethhdr) + sizeof(struct 
openvpn_iphdr))
+            if (BLENZ(buf) < sizeof(struct openvpn_8021qhdr) + sizeof(struct 
openvpn_iphdr))
             {
                 return false;
             }


_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to