2005.10.xx -- Version 2.1-beta5
+* Security fix -- Affects non-Windows OpenVPN clients of
+ version 2.0 or higher which connect to a malicious or
+ compromised server. A format string vulnerability
+ in the foreign_option function in options.c could
+ potentially allow a malicious or compromised server
+ to execute arbitrary code on the client. Only
+ non-Windows clients are affected. The vulnerability
+ only exists if (a) the client's TLS negotiation with
+ the server succeeds, (b) the server is malicious or
+ has been compromised such that it is configured to
+ push a maliciously crafted options string to the client,
+ and (c) the client indicates its willingness to accept
+ pushed options from the server by having "pull" or
+ "client" in its configuration file.
+* Security fix -- Potential DoS vulnerability on the
+ server in TCP mode. If the TCP server accept() call
+ returns an error status, the resulting exception handler
+ may attempt to indirect through a NULL pointer, causing
+ a segfault. Affects all OpenVPN 2.0 versions.
* Fix attempt of assertion at multi.c:1586 (note that
this precise line number will vary across different
versions of OpenVPN).
#endif
/* context init */
- init_instance (dest, src->c2.es, CC_USR1_TO_HUP | CC_GC_FREE);
+ init_instance (dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
if (IS_SIG (dest))
return;
void
close_context (struct context *c, int sig, unsigned int flags)
{
+ ASSERT (c);
+ ASSERT (c->sig);
+
if (sig >= 0)
c->sig->signal_received = sig;
c->sig->signal_received = SIGHUP;
}
- close_instance (c);
+ if (!(flags & CC_NO_CLOSE))
+ close_instance (c);
if (flags & CC_GC_FREE)
context_gc_free (c);
#define CC_GC_FREE (1<<0)
#define CC_USR1_TO_HUP (1<<1)
#define CC_HARD_USR1_TO_HUP (1<<2)
+#define CC_NO_CLOSE (1<<3)
+
void close_context (struct context *c, int sig, unsigned int flags);
struct context_buffers *init_context_buffers (const struct frame *frame);
generate_prefix (mi);
}
+ mi->did_open_context = true;
inherit_context_child (&mi->context, &m->top);
if (IS_SIG (&mi->context))
goto err;
- mi->did_open_context = true;
mi->context.c2.context_auth = CAS_PENDING;
in_addr_t push_ifconfig_remote_netmask;
/* client authentication state */
-# define CAS_SUCCEEDED 0
-# define CAS_PENDING 1
-# define CAS_FAILED 2
-# define CAS_PARTIAL 3 /* at least one client-connect script/plugin
+# define CAS_UNDEF 0
+# define CAS_SUCCEEDED 1
+# define CAS_PENDING 2
+# define CAS_FAILED 3
+# define CAS_PARTIAL 4 /* at least one client-connect script/plugin
succeeded while a later one in the chain failed */
int context_auth;
#endif
{
if (!first)
buf_printf (&value, " ");
- buf_printf (&value, argv[i]);
+ buf_printf (&value, "%s", argv[i]);
first = false;
}
}
projects / thirdparty / openvpn.git / commitdiff
