From: rootvector2 <[email protected]> Github: OpenVPN/openvpn#1044
This has also been reported twice as a security relevant bug, but only later than the original finding - and it isn't. While --client-nat would modify a 32bit integer "after the packet" (the place where an IPv4 address would be, in a well-formed packet), the underlying buffer is always max-frame sized, and we never look at the "modified integer" afterwards, so there are no consequences warranting allocation of a CVE ID. Signed-off-by: rootvector2 <[email protected]> Acked-by: Arne Schwabe <[email protected]> Acked-by: Antonio Quartulli <[email protected]> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1789 Reported-By: 章鱼哥 (www.aipyaipy.com) Reported-By: Yu Zhang Wong <[email protected]> Change-Id: I8219c6295acf28ff10ddb2fcc285f813c42fa8fe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1789 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe <[email protected]> Antonio Quartulli <[email protected]> diff --git a/src/openvpn/proto.c b/src/openvpn/proto.c index 13fe0a5..785c021 100644 --- a/src/openvpn/proto.c +++ b/src/openvpn/proto.c @@ -70,7 +70,7 @@ if (proto == htons(OPENVPN_ETH_P_8021Q)) { const struct openvpn_8021qhdr *evh; - if (BLENZ(buf) < sizeof(struct openvpn_ethhdr) + sizeof(struct openvpn_iphdr)) + if (BLENZ(buf) < sizeof(struct openvpn_8021qhdr) + sizeof(struct openvpn_iphdr)) { return false; } _______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
