Marius Tomaschewski
9c3259ca06
- Preform deferred authentication in the background to not cause main daemon processing delays when the underlying pam mechanism (e.g. ldap) needs longer to response (bsc#959511). [+ 0001-preform-deferred-authentication-in-the-background.patch] - Added fix for possible heap overflow on read accessing getaddrinfo result (bsc#959714). [+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch] - Added a patch to fix multiple low severity issues (bsc#934237). [+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch] OBS-URL: https://build.opensuse.org/request/show/489820 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=115
67 lines
2.6 KiB
Diff
67 lines
2.6 KiB
Diff
Author: Gert Doering <gert@greenie.muc.de>
|
|
Date: Tue Nov 10 22:58:39 2015 +0100
|
|
|
|
Fix possible heap overflow on read accessing getaddrinfo() result.
|
|
|
|
The code always tried to copy-out a "struct sockaddr_in6" even for IPv4
|
|
results, which reads more bytes than getaddrinfo() is guaranteed to
|
|
allocate.
|
|
|
|
Now, look at ai->ai_family and only copy "struct sockaddr" for IPv4.
|
|
|
|
Also, reformat this block of code to comply to coding style.
|
|
|
|
This is a specific 2.3 bug as the code in master (to be 2.4) has been
|
|
completely rewritten to properly handle dual-stack and multiple responses
|
|
from getaddrinfo() proper.
|
|
|
|
Bug found by Daniel Hirche using "gcc -fsanitize=address". No possible
|
|
exploits are known.
|
|
|
|
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Acked-by: Arne Schwabe <arne@rfc2549.org>
|
|
Message-Id: <1447192719-31381-1-git-send-email-gert@greenie.muc.de>
|
|
URL: http://article.gmane.org/gmane.network.openvpn.devel/10479
|
|
|
|
References: bsc#959714
|
|
|
|
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
|
|
index a143853..0f46bad 100644
|
|
--- a/src/openvpn/socket.c
|
|
+++ b/src/openvpn/socket.c
|
|
<at> <at> -1259,20 +1259,24 <at> <at> resolve_remote (struct link_socket *sock,
|
|
ASSERT (0);
|
|
}
|
|
|
|
- /* Temporary fix, this need to be changed for dual stack */
|
|
- status = openvpn_getaddrinfo(flags, sock->remote_host, retry,
|
|
- signal_received, af, &ai);
|
|
- if(status == 0) {
|
|
- sock->info.lsa->remote.addr.in6 = *((struct sockaddr_in6*)(ai->ai_addr));
|
|
- freeaddrinfo(ai);
|
|
+ /* Temporary fix, this need to be changed for dual stack */
|
|
+ status = openvpn_getaddrinfo(flags, sock->remote_host, retry,
|
|
+ signal_received, af, &ai);
|
|
+ if(status == 0)
|
|
+ {
|
|
+ if ( ai->ai_family == AF_INET6 )
|
|
+ sock->info.lsa->remote.addr.in6 = *((struct sockaddr_in6*)(ai->ai_addr));
|
|
+ else
|
|
+ sock->info.lsa->remote.addr.in4 = *((struct sockaddr_in*)(ai->ai_addr));
|
|
+ freeaddrinfo(ai);
|
|
|
|
- dmsg (D_SOCKET_DEBUG, "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d",
|
|
+ dmsg (D_SOCKET_DEBUG, "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d",
|
|
flags,
|
|
phase,
|
|
retry,
|
|
signal_received ? *signal_received : -1,
|
|
status);
|
|
- }
|
|
+ }
|
|
if (signal_received)
|
|
{
|
|
if (*signal_received)
|
|
--
|
|
2.4.9
|