Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
OpenVPN is an open source VPN daemon
C Shell C++ Perl Groff JavaScript Other

Fix overflow check in openvpn_decrypt()

Sebastian Krahmer from the SuSE security team reported that the buffer
overflow check in openvpn_decrypt() was too strict according to the
cipher update function contract:

"The amount of data written depends on the block alignment of the
encrypted data: as a result the amount of data written may be anything
from zero bytes to (inl + cipher_block_size - 1) so outl should contain
sufficient room."

This stems from the way CBC mode works, which caches input and 'flushes'
it block-wise to the output buffer.  We do allocate enough space for this
extra block in the output buffer for CBC mode, but not for CFB/OFB modes.

This patch:
 * updates the overflow check to also verify that the extra block required
   according to the function contract is available.
 * uses buf_inc_len() to double-check for overflows during en/decryption.
 * also reserves the extra block for non-CBC cipher modes.

In practice, I could not find a way in which this would fail. The plaintext
is never longer than the ciphertext, and the implementations of CBC/OFB/CBC
for AES and BF in both OpenSSL and PolarSSL/mbed TLS do not use the buffer
beyond the plaintext length when decrypting.  However, some funky OpenSSL
engine I did not check *might* use the buffer space required by the
function contract.  So we should still make sure we have enough room
anyway.

v2 - always ASSERT() on buf_inc_len().  It is a double-check so should
     really not fail, but if it fails there has been a buffer overflow.
     At that point the best thing we can do is assert out. (The primary
     check *is* handled gracefully, and just drops the packet.)

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1438165826-32762-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9974
Signed-off-by: Gert Doering <gert@greenie.muc.de>
latest commit cc377dec82
@syzzer syzzer authored cron2 committed
Failed to load latest commit information.
build build: msvc: upgrade to Visual Studio 2010 + fixups
contrib cert_data: fix memory leak
debug build: standard directory layout
distro Include systemd units in the source tarball (make dist)
doc Document --daemon changes and consequences (--askpass, --auth-nocache).
include Fix build on OpenSolaris (non-gmake)
m4 build: ax_varargs.m4: fixups
sample Provide OpenVPN runtime version information to plug-ins
src Fix overflow check in openvpn_decrypt()
tests Revert "Enforce "serial-tests" behaviour for tests/Makefile"
.gitattributes cleanup: add .gitattributes to control eol style explicitly
.gitignore Provide compile time OpenVPN version information to plug-ins
.mailmap Added mapping files from SVN commit ID to more descriptive commit IDs.
.svncommitters Added mapping files from SVN commit ID to more descriptive commit IDs.
AUTHORS Renamed branch to reflect that it is no longer beta.
COPYING Renamed branch to reflect that it is no longer beta.
COPYRIGHT.GPL Renamed branch to reflect that it is no longer beta.
ChangeLog Preparing for v2.3_beta1
INSTALL t_client.sh: Write errors to stderr and document requirements
INSTALL-win32.txt Added cross-compilation information INSTALL-win32.txt
Makefile.am Minor t_client.sh cleanups
NEWS Renamed branch to reflect that it is no longer beta.
PORTS Renamed branch to reflect that it is no longer beta.
README Updated README
README.IPv6 Update IPv6 related readme files
README.ec Add support for elliptic curve diffie-hellmann key exchange (ECDH)
README.polarssl Update README.polarssl
TODO.IPv6 Update IPv6 related readme files
compat.m4 build: add git revision to --version output if build from git repository
config-msvc-version.h.in build: win-msvc: msbuild format
config-msvc.h Remove ENABLE_SSL define (and --disable-ssl configure option)
configure.ac Fix out-of-tree builds; openvpn-plugin.h should be in AC_CONFIG_HEADERS
msvc-build.bat build: msvc: chdir with change drive to script location
msvc-dev.bat build: msvc: chdir with change drive to script location
msvc-env.bat build: msvc: chdir with change drive to script location
openvpn.sln build: msvc: upgrade to Visual Studio 2010 + fixups
version.m4 Provide compile time OpenVPN version information to plug-ins
version.sh.in build: windows: install version.sh to allow installer read version

README

OpenVPN -- A Secure tunneling daemon

Copyright (C) 2002-2010 OpenVPN Technologies, Inc. This program is free software;
you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2
as published by the Free Software Foundation.

*************************************************************************

For the latest version of OpenVPN, go to:

	http://openvpn.net/

To Build and Install,

	./configure
	make
	make install

or see the file INSTALL for more info.

*************************************************************************

For detailed information on OpenVPN, including examples, see the man page
  http://openvpn.net/man.html

For a sample VPN configuration, see
  http://openvpn.net/howto.html

For a description of OpenVPN's underlying protocol,
  see the file ssl.h included in the source distribution.

*************************************************************************

Other Files & Directories:

* INSTALL-win32.txt -- installation instructions
  for Windows

* configure.ac -- script to rebuild our configure
  script and makefile.

* sample/sample-scripts/verify-cn

  A sample perl script which can be used with OpenVPN's
  --tls-verify option to provide a customized authentication
  test on embedded X509 certificate fields.

* sample/sample-keys/

  Sample RSA keys and certificates.  DON'T USE THESE FILES
  FOR ANYTHING OTHER THAN TESTING BECAUSE THEY ARE TOTALLY INSECURE.

* sample/sample-config-files/

  A collection of OpenVPN config files and scripts from
  the HOWTO at http://openvpn.net/howto.html

*************************************************************************

Note that easy-rsa and tap-windows are now maintained in their own subprojects.
Their source code is available here:

  https://github.com/OpenVPN/easy-rsa
  https://github.com/OpenVPN/tap-windows

The old cross-compilation environment (domake-win) and the Python-based
buildsystem have been replaced with openvpn-build:

  https://github.com/OpenVPN/openvpn-build

See the INSTALL file for usage information.
Something went wrong with that request. Please try again.