git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Arne Schwabe <arne@rfc2549.org>
	Thu, 15 Dec 2022 19:01:38 +0000 (20:01 +0100)
committer	Gert Doering <gert@greenie.muc.de>
	Fri, 16 Dec 2022 08:52:19 +0000 (09:52 +0100)
commit	d75462fc70a2b0b26fb10063b15b6bfc5c8161db
tree	0ce55f720ac862ac8371ceb77e621285e59913fb	tree \| snapshot
parent	cdfdfb3da0ce714f43b23f679a8ef9b36ab9f370	commit \| diff

Ensure that argument to parse_line has always space for final sentinel

This fixes two places were we do not have enough space in the array
of parameters given to parse_line for the final NULL parameter that
signal the end of the parsed argument errors.

Both these cases can lead to a buffer overflow. But both of these
cases require root/admin access to OpenVPN:

- parse_argv, only able to trigger if starting openvpn from the command
  line, at this point you cannot  gain more privileges than you already
  have.

  Way to reproduce, compile with ASAN and run:

       openvpn --tls-verify a a a a a a a a a a a a a a a

- remove_iroutes_from_push_route_list

This operates on the list of pushed entries that is generated
by the server itself. So trigger this, you need to have control
over config, management interface, a plugin or cdd files.

The parse_argv problem was found by Trial of Bits. I found the
remove_iroutes_from_push_route_list problem by looking for similar
problems.

Reported-By: Trial of Bits (TOB-OVPN-4)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221215190143.2107896-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25734.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 749beb6d0cb9f8628997bb656ba2f64e31cac377)

src/openvpn/options.c		diff \| blob \| blame \| history
src/openvpn/push.c		diff \| blob \| blame \| history