From: Selva Nair <selva.nair@gmail.com>
Date: Fri, 20 Oct 2017 17:25:56 +0000 (-0400)
Subject: Avoid illegal memory access when malformed data is read from the pipe
X-Git-Tag: v2.5_beta1~579
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f20808c8f37301c43d822f6a22d30b3587abc57;p=thirdparty%2Fopenvpn.git

Avoid illegal memory access when malformed data is read from the pipe

- If only 1 byte is read from the interactive service client pipe, that
  evaluates to zero wide characters and subsequent check for NUL
  termination in the data buffer segfaults.
  Fix: reject clients that send less than a complete wide character.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1508520356-18277-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15657.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index b4a3d5c31..0c91199a8 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -466,6 +466,13 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud)
     }
 
     size = bytes / sizeof(*data);
+    if (size == 0)
+    {
+        MsgToEventLog(M_SYSERR, TEXT("malformed startup data: 1 byte received"));
+        ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event);
+        goto out;
+    }
+
     data = malloc(bytes);
     if (data == NULL)
     {