Fix Vulnerability: CVE-2023-32275 TALOS-2023-1753

SoftEther VPN CtEnumCa () information disclosure vulnerability https://www.softether.org/9-about/News/904-SEVPN202301 https://jvn.jp/en/jp/JVN64316789/
SoftEtherVPN · Oct 7, 2023 · f4bbe47 · f4bbe47
1 parent 2dec52b
commit f4bbe47
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 7 deletions.
diff --git a/src/Mayaqua/Encrypt.c b/src/Mayaqua/Encrypt.c
@@ -712,15 +712,20 @@ UINT RsaPublicSize(K *k)
 // Hash a pointer to a 32-bit
 UINT HashPtrToUINT(void *p)
 {
-	UCHAR hash_data[MD5_SIZE];
+	UCHAR hash_data[SHA256_SIZE];
+	UCHAR hash_src[CANARY_RAND_SIZE + sizeof(void *)];
 	UINT ret;
 	// Validate arguments
 	if (p == NULL)
 	{
 		return 0;
 	}
 
-	Md5(hash_data, &p, sizeof(p));
+	Zero(hash_src, sizeof(hash_src));
+	Copy(hash_src + 0, GetCanaryRand(CANARY_RAND_ID_PTR_KEY_HASH), CANARY_RAND_SIZE);
+	Copy(hash_src + CANARY_RAND_SIZE, p, sizeof(void *));
+
+	Sha2_256(hash_data, hash_src, sizeof(hash_src));
 
 	Copy(&ret, hash_data, sizeof(ret));
 

diff --git a/src/Mayaqua/MayaType.h b/src/Mayaqua/MayaType.h
@@ -123,11 +123,7 @@ typedef int (COMPARE)(void *p1, void *p2);
 #define	GET_ABS(a)			((a) >= 0 ? (a) : -(a))
 
 // Convert the pointer to UINT
-#ifdef	CPU_64
-#define	POINTER_TO_KEY(p)		HashPtrToUINT(p)
-#else
-#define	POINTER_TO_KEY(p)		(UINT)(p)
-#endif
+#define	POINTER_TO_KEY(p)		(HashPtrToUINT(p))
 
 // Compare the pointer and UINT
 #define	COMPARE_POINTER_AND_KEY(p, i)	(POINTER_TO_KEY(p) == (i))

diff --git a/src/Mayaqua/Memory.h b/src/Mayaqua/Memory.h
@@ -378,6 +378,8 @@ bool AddStrToStrListDistinct(LIST *o, char *str);
 #define CANARY_RAND_ID_MEMTAG_MAGIC		0
 #define CANARY_RAND_SIZE				20
 
+#define CANARY_RAND_ID_PTR_KEY_HASH		1
+
 void InitCanaryRand();
 UCHAR *GetCanaryRand(UINT id);