From b52c1ff43b23c3cf438fb99b807a7309d3229a56 Mon Sep 17 00:00:00 2001 From: Steffan Karger Date: Mon, 22 May 2017 15:54:13 +0200 Subject: [PATCH] openssl: fix overflow check for long --tls-cipher option The length check in tls_ctx_restrict_ciphers() did not check for overflow, which could lead to a stack buffer overflow. This has no real-world impact, because --tls-cipher can only be specified by entities that are allowed to supply config settings. Since those entities can also change --script-security and call scripts and/or plugins, these users already have code execution at the level of the openvpn process. In other words: the attacker would not gain any capabilities. Nevertheless, a nasty bug that we should fix. This bug was discovered and reported to the OpenVPN security team by Guido Vranken. Signed-off-by: Steffan Karger Acked-by: Gert Doering Message-Id: <1495461253-20111-1-git-send-email-steffan.karger@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14716.html Signed-off-by: Gert Doering (cherry picked from commit e6bf7e033d063535a4414a4cf49c8f367ecdbb4f) --- src/openvpn/ssl_openssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index d7cc2ba44..8117435e9 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -355,7 +355,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) } /* Make sure new cipher name fits in cipher string */ - if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) < current_cipher_len) + if ((SIZE_MAX - openssl_ciphers_len) < current_cipher_len + || ((sizeof(openssl_ciphers)-1) < openssl_ciphers_len + current_cipher_len)) { msg(M_FATAL, "Failed to set restricted TLS cipher list, too long (>%d).", -- 2.47.2