git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Arne Schwabe <arne@rfc2549.org>
	Mon, 27 May 2024 13:02:41 +0000 (15:02 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Wed, 19 Jun 2024 12:04:40 +0000 (14:04 +0200)
commit	414f428fa29694090ec4c46b10a8aba419c85659
tree	256d1c76973c387f0c228914338809a0e2c58838	tree
parent	b3a68b85a729628ca8b97f9f0c2813f795289cfc	commit \| diff

Properly handle null bytes and invalid characters in control messages

This makes OpenVPN more picky in accepting control message in two aspects:
- Characters are checked in the whole buffer and not until the first
  NUL byte
- if the message contains invalid characters, we no longer continue
  evaluating a fixed up version of the message but rather stop
  processing it completely.

Previously it was possible to get invalid characters to end up in log
files or on a terminal.

This also prepares the logic a bit in the direction of having a proper
framing of control messages separated by null bytes instead of relying
on the TLS framing for that. All OpenVPN implementations write the 0
bytes between control commands.

This patch also include several improvement suggestion from Reynir
(thanks!).

CVE: 2024-5594

Reported-By: Reynir Björnsson <reynir@reynir.dk>
Change-Id: I0d926f910637dabc89bf5fa919dc6beef1eb46d9
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20240619103004.56460-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28791.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/buffer.c		diff \| blob \| blame \| history
src/openvpn/buffer.h		diff \| blob \| blame \| history
src/openvpn/forward.c		diff \| blob \| blame \| history
tests/unit_tests/openvpn/test_buffer.c		diff \| blob \| blame \| history