git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Arne Schwabe <arne@rfc2549.org>
	Thu, 15 Dec 2022 19:01:38 +0000 (20:01 +0100)
committer	Gert Doering <gert@greenie.muc.de>
	Fri, 16 Dec 2022 08:47:26 +0000 (09:47 +0100)
commit	749beb6d0cb9f8628997bb656ba2f64e31cac377
tree	976be434ef7cc0233df716aaa2d2f9736f4d6b2c	tree
parent	0567da5377704cf64bd2599f2d49aa478d386941	commit \| diff

Ensure that argument to parse_line has always space for final sentinel

This fixes two places were we do not have enough space in the array
of parameters given to parse_line for the final NULL parameter that
signal the end of the parsed argument errors.

Both these cases can lead to a buffer overflow. But both of these
cases require root/admin access to OpenVPN:

- parse_argv, only able to trigger if starting openvpn from the command
  line, at this point you cannot  gain more privileges than you already
  have.

  Way to reproduce, compile with ASAN and run:

       openvpn --tls-verify a a a a a a a a a a a a a a a

- remove_iroutes_from_push_route_list

This operates on the list of pushed entries that is generated
by the server itself. So trigger this, you need to have control
over config, management interface, a plugin or cdd files.

The parse_argv problem was found by Trial of Bits. I found the
remove_iroutes_from_push_route_list problem by looking for similar
problems.

Reported-By: Trial of Bits (TOB-OVPN-4)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221215190143.2107896-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25734.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/options.c		diff \| blob \| blame \| history
src/openvpn/push.c		diff \| blob \| blame \| history