Fixed port-share bug with DoS potential

Fixed port-share bug that can cause segfault when the number
of concurrent connections is large.

The issue is that the port-share code calls openvpn_connect()
which in turn calls select().  When there are a high number
of concurrent port-share connections, the fd passed to select
can potentially exceed FD_SETSIZE, causing undefined behavior.

The fix is to use poll() (if available) instead of select().

Signed-off-by: James Yonan <james@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1Abx+2E2FZN-y6P=mkKpSuZ7bOV5m6rUMTx3V7UP2qPMjZPg@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11626
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 007738e9d6030c8989713543e4f7308ff57be30f)

diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index d110e90f20ef259c9fa0d5b676b2d80320bf54e5..b7ac3398ded96802aa9801b69da58d04807f01ea 100644 (file)
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -934,6 +934,12 @@ openvpn_connect (socket_descriptor_t sd,
     {
       while (true)
        {
+#if POLL
+         struct pollfd fds[1];
+         fds[0].fd = sd;
+         fds[0].events = POLLOUT;
+         status = poll(fds, 1, 0);
+#else
          fd_set writes;
          struct timeval tv;
 
@@ -943,7 +949,7 @@ openvpn_connect (socket_descriptor_t sd,
          tv.tv_usec = 0;
 
          status = select (sd + 1, NULL, &writes, NULL, &tv);
-
+#endif
          if (signal_received)
            {
              get_signal (signal_received);