git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Steffan Karger <steffan.karger@fox-it.com>
	Mon, 19 Jun 2017 09:28:38 +0000 (11:28 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Mon, 19 Jun 2017 15:34:56 +0000 (17:34 +0200)
commit	2d032c7fcdfd692c851ea2fa858b4c2d9ea7d52d
tree	efe91454c45108d7f4765c67f23eee910c95edec	tree
parent	0007b2dbd12a83be3e4aeabc20550a5e16faf214	commit \| diff

Fix remote-triggerable memory leaks (CVE-2017-7521)

Several of our OpenSSL-specific certificate-parsing code paths did not
always clear all allocated memory.  Since a client can cause a few bytes
of memory to be leaked for each connection attempt, a client can cause a
server to run out of memory and thereby kill the server.  That makes this
a (quite inefficient) DoS attack.

When using the --x509-alt-username option on openssl builds with an
extension (argument prefixed with "ext:", e.g. "ext:subjectAltName"), the
code would not free all allocated memory.  Fix this by using the proper
free function.

If ASN1_STRING_to_UTF8() returns 0, it didn't fail and *did* allocate
memory.  So also free the returned buffer if it returns 0.

These issues were found, analysed and reported to the OpenVPN team by Guido
Vranken.

CVE: 2017-7521
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Guido Vranken <guidovranken@gmail.com>
Message-Id: <1497864520-12219-4-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-4-git-send-email-steffan.karger@fox-it.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Changes.rst		diff \| blob \| blame \| history
src/openvpn/ssl_verify_openssl.c		diff \| blob \| blame \| history