From: James Yonan <james@openvpn.net>
Date: Thu, 3 Mar 2016 07:48:12 +0000 (-0700)
Subject: Fixed port-share bug with DoS potential
X-Git-Tag: v2.3.11~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9030fd4cc6283e30f927f950310fc0f83edb5e4d;p=thirdparty%2Fopenvpn.git

Fixed port-share bug with DoS potential

Fixed port-share bug that can cause segfault when the number
of concurrent connections is large.

The issue is that the port-share code calls openvpn_connect()
which in turn calls select().  When there are a high number
of concurrent port-share connections, the fd passed to select
can potentially exceed FD_SETSIZE, causing undefined behavior.

The fix is to use poll() (if available) instead of select().

Signed-off-by: James Yonan <james@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <CAA1Abx+2E2FZN-y6P=mkKpSuZ7bOV5m6rUMTx3V7UP2qPMjZPg@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11626
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 007738e9d6030c8989713543e4f7308ff57be30f)
---

diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index d110e90f2..b7ac3398d 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -934,6 +934,12 @@ openvpn_connect (socket_descriptor_t sd,
     {
       while (true)
 	{
+#if POLL
+	  struct pollfd fds[1];
+	  fds[0].fd = sd;
+	  fds[0].events = POLLOUT;
+	  status = poll(fds, 1, 0);
+#else
 	  fd_set writes;
 	  struct timeval tv;
 
@@ -943,7 +949,7 @@ openvpn_connect (socket_descriptor_t sd,
 	  tv.tv_usec = 0;
 
 	  status = select (sd + 1, NULL, &writes, NULL, &tv);
-
+#endif
 	  if (signal_received)
 	    {
 	      get_signal (signal_received);