From b9b5470521294209146c7253a97012d399978d72 Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Tue, 28 Oct 2025 17:28:38 +0100 Subject: [PATCH] sitnl: set FD_CLOEXEC on socket to prevent abuse Since OpenVPN spawns various child processes, it is important that sockets are closed after calling exec. The sitnl socket didn't have the right flag set, resulting in it surviving in, for example, connect/disconnect scripts and giving the latter a chance to abuse the socket. Ensure this doesn't happen by setting FD_CLOEXEC on this socket right after creation. Reported-by: Joshua Rogers Found-by: ZeroPath (https://zeropath.com/) Change-Id: I54845bf4dd17d06cfc3b402f188795f74f4b1d3e Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1314 Message-Id: <20251028162843.18189-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33952.html Signed-off-by: Gert Doering --- CMakeLists.txt | 1 + src/openvpn/networking_sitnl.c | 4 ++++ tests/unit_tests/openvpn/Makefile.am | 1 + 3 files changed, 6 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 5954a6e9c..bf754f352 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -923,6 +923,7 @@ if (BUILD_TESTING) src/openvpn/crypto_openssl.c src/openvpn/crypto.c src/openvpn/crypto_epoch.c + src/openvpn/fdmisc.c src/openvpn/otime.c src/openvpn/packet_id.c ) diff --git a/src/openvpn/networking_sitnl.c b/src/openvpn/networking_sitnl.c index b3adb16ba..3e20b7004 100644 --- a/src/openvpn/networking_sitnl.c +++ b/src/openvpn/networking_sitnl.c @@ -27,6 +27,7 @@ #include "dco.h" #include "errlevel.h" +#include "fdmisc.h" #include "buffer.h" #include "misc.h" #include "networking.h" @@ -181,6 +182,9 @@ sitnl_socket(void) return fd; } + /* set close on exec to avoid child processes access the socket */ + set_cloexec(fd); + if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, sizeof(sndbuf)) < 0) { msg(M_WARN | M_ERRNO, "%s: SO_SNDBUF", __func__); diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 997703a87..0f13172b1 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -196,6 +196,7 @@ networking_testdriver_SOURCES = test_networking.c mock_msg.c \ $(top_srcdir)/src/openvpn/crypto_epoch.c \ $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ $(top_srcdir)/src/openvpn/crypto_openssl.c \ + $(top_srcdir)/src/openvpn/fdmisc.c \ $(top_srcdir)/src/openvpn/otime.c \ $(top_srcdir)/src/openvpn/packet_id.c \ $(top_srcdir)/src/openvpn/platform.c -- 2.47.3