File openvpn-2.3.x-fixed-multiple-low-severity-issue... of Package openvpn.4886

Overview Repositories Revisions Requests Users Attributes Meta

File openvpn-2.3.x-fixed-multiple-low-severity-issues.patch of Package openvpn.4886

From:Sebastian Krahmer <krahmer@suse.com>
References: bsc#934237

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index c2d5c27..d4897b0 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -151,7 +151,7 @@ openvpn_encrypt (struct buffer *buf, struct buffer work,
 	  ASSERT (cipher_ctx_reset(ctx->cipher, iv_buf));
 
 	  /* Buffer overflow check */
-	  if (!buf_safe (&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
+	  if (!buf_safe (&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH))
 	    {
 	      msg (D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d",
 		   buf->capacity,
@@ -278,7 +278,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work,
 	  const int iv_size = cipher_ctx_iv_length (ctx->cipher);
 	  const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt (ctx->cipher);
 	  uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH];
-	  int outlen;
+	  int outlen = 0;
 
 	  /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */
 	  ASSERT (buf_init (&work, FRAME_HEADROOM_ADJ (frame, FRAME_HEADROOM_MARKER_DECRYPT)));
@@ -305,7 +305,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work,
 	    CRYPT_ERROR ("cipher init failed");
 
 	  /* Buffer overflow check (should never happen) */
-	  if (!buf_safe (&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
+	  if (!buf_safe (&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH))
 	    CRYPT_ERROR ("potential buffer overflow");
 
 	  /* Decrypt packet ID, payload */
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 348bdee..2594c96 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -617,7 +617,11 @@ int
 cipher_ctx_update (EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len,
     uint8_t *src, int src_len)
 {
-  return EVP_CipherUpdate (ctx, dst, dst_len, src, src_len);
+    if (EVP_CipherUpdate (ctx, dst, dst_len, src, src_len) != 1) {
+        msg(M_FATAL, "%s: EVP_CipherUpdate() failed", __func__);
+        return 0;
+    }
+    return 1;
 }
 
 int
diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
index f883c2a..f12abf1 100644
--- a/src/openvpn/crypto_openssl.h
+++ b/src/openvpn/crypto_openssl.h
@@ -52,6 +52,9 @@ typedef HMAC_CTX hmac_ctx_t;
 /** Maximum length of an IV */
 #define OPENVPN_MAX_IV_LENGTH 	EVP_MAX_IV_LENGTH
 
+/** Maximum length of a cipher block */
+#define OPENVPN_MAX_BLOCK_LENGTH   EVP_MAX_BLOCK_LENGTH
+
 /** Cipher is in CBC mode */
 #define OPENVPN_MODE_CBC 	EVP_CIPH_CBC_MODE
 
diff --git a/src/openvpn/error.c b/src/openvpn/error.c
index 6848425..de2fc49 100644
--- a/src/openvpn/error.c
+++ b/src/openvpn/error.c
@@ -400,6 +400,7 @@ void
 assert_failed (const char *filename, int line)
 {
   msg (M_FATAL, "Assertion failed at %s:%d", filename, line);
+  _exit(1);
 }
 
 /*
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 71c91a2..97ce6c0 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2556,8 +2556,9 @@ init_context_buffers (const struct frame *frame)
   b->aux_buf = alloc_buf (BUF_SIZE (frame));
 
 #ifdef ENABLE_CRYPTO
-  b->encrypt_buf = alloc_buf (BUF_SIZE (frame));
-  b->decrypt_buf = alloc_buf (BUF_SIZE (frame));
+  b->encrypt_buf = alloc_buf (BUF_SIZE (frame) + OPENVPN_MAX_BLOCK_LENGTH);
+  b->decrypt_buf = alloc_buf (BUF_SIZE (frame) + OPENVPN_MAX_BLOCK_LENGTH);
+
 #endif
 
 #ifdef ENABLE_LZO
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index 95d7153..8555789 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -76,6 +76,9 @@ recv_line (socket_descriptor_t sd,
   struct buffer la;
   int lastc = 0;
 
+  if (sd >= FD_SETSIZE)
+      return false;
+
   CLEAR (la);
   if (lookahead)
     la = *lookahead;
@@ -283,11 +286,11 @@ get_proxy_authenticate (socket_descriptor_t sd,
 			struct gc_arena *gc,
 		        volatile int *signal_received)
 {
-  char buf[256];
+  char buf[256] = {0};
   int ret = HTTP_AUTH_NONE;
   while (true)
     {
-      if (!recv_line (sd, buf, sizeof (buf), timeout, true, NULL, signal_received))
+      if (!recv_line (sd, buf, sizeof (buf) - 1, timeout, true, NULL, signal_received))
 	{
 	  *data = NULL;
 	  return HTTP_AUTH_NONE;
@@ -498,9 +501,9 @@ establish_http_proxy_passthru (struct http_proxy_info *p,
 			       volatile int *signal_received)
 {
   struct gc_arena gc = gc_new ();
-  char buf[512];
-  char buf2[129];
-  char get[80];
+  char buf[512]  = {0};
+  char buf2[129] = {0};
+  char get[80]   = {0};
   int status;
   int nparms;
   bool ret = false;
@@ -586,7 +589,8 @@ establish_http_proxy_passthru (struct http_proxy_info *p,
 	goto error;
 
       /* receive reply from proxy */
-      if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
+      memset(buf, 0, sizeof(buf));
+      if (!recv_line (sd, buf, sizeof(buf) - 1, p->options.timeout, true, NULL, signal_received))
 	goto error;
 
       /* remove trailing CR, LF */
@@ -615,7 +619,8 @@ establish_http_proxy_passthru (struct http_proxy_info *p,
 
           while (true)
             {
-              if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
+              memset(buf, 0, sizeof(buf));  
+              if (!recv_line (sd, buf, sizeof(buf) - 1, p->options.timeout, true, NULL, signal_received))
                 goto error;
               chomp (buf);
               msg (D_PROXY, "HTTP proxy returned: '%s'", buf);
@@ -685,7 +690,8 @@ establish_http_proxy_passthru (struct http_proxy_info *p,
             goto error;
 
           /* receive reply from proxy */
-          if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
+          memset(buf, 0, sizeof(buf));
+          if (!recv_line (sd, buf, sizeof(buf) - 1, p->options.timeout, true, NULL, signal_received))
             goto error;
 
           /* remove trailing CR, LF */
@@ -795,7 +801,8 @@ establish_http_proxy_passthru (struct http_proxy_info *p,
 		goto error;
 
 	      /* receive reply from proxy */
-	      if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
+          memset(buf, 0, sizeof(buf));
+	      if (!recv_line (sd, buf, sizeof(buf) - 1, p->options.timeout, true, NULL, signal_received))
 		goto error;
 
 	      /* remove trailing CR, LF */
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 0424c0b..39bbdc8 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -837,6 +837,9 @@ socket_listen_accept (socket_descriptor_t sd,
   /* struct openvpn_sockaddr *remote = &act->dest; */
   struct openvpn_sockaddr remote_verify = act->dest;
   int new_sd = SOCKET_UNDEFINED;
+    
+  if (sd >= FD_SETSIZE)
+      return -1;
 
   CLEAR (*act);
   socket_do_listen (sd, local, do_listen, true);
@@ -924,6 +927,9 @@ openvpn_connect (socket_descriptor_t sd,
 		 volatile int *signal_received)
 {
   int status = 0;
+ 
+  if (sd >= FD_SETSIZE)
+      return -1;
 
 #ifdef CONNECT_NONBLOCK
   set_nonblock (sd);
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index 2f051ec..b11cea0 100644
--- a/src/openvpn/socks.c
+++ b/src/openvpn/socks.c
@@ -97,13 +97,16 @@ socks_username_password_auth (struct socks_proxy_info *p,
                               socket_descriptor_t sd,
                               volatile int *signal_received)
 {
-  char to_send[516];
-  char buf[2];
+  char to_send[516] = {0};
+  char buf[2] = {0};
   int len = 0;
   const int timeout_sec = 5;
   struct user_pass creds;
   ssize_t size;
 
+  if (sd >= FD_SETSIZE)
+      return false;
+
   creds.defined = 0;
   get_user_pass (&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT);
 
@@ -186,7 +189,7 @@ socks_handshake (struct socks_proxy_info *p,
                  socket_descriptor_t sd,
                  volatile int *signal_received)
 {
-  char buf[2];
+  char buf[2] = {0};
   int len = 0;
   const int timeout_sec = 5;
   ssize_t size;
@@ -195,6 +198,8 @@ socks_handshake (struct socks_proxy_info *p,
   char method_sel[3] = { 0x05, 0x01, 0x00 };
   if (p->authfile[0])
       method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */
+  if  (sd >= FD_SETSIZE)
+      return false;
 
   size = send (sd, method_sel, sizeof (method_sel), MSG_NOSIGNAL);
   if (size != sizeof (method_sel))
@@ -299,9 +304,12 @@ recv_socks_reply (socket_descriptor_t sd,
   char atyp = '\0';
   int alen = 0;
   int len = 0;
-  char buf[22];
+  char buf[22] = {0};
   const int timeout_sec = 5;
 
+  if (sd >= FD_SETSIZE)
+      return false;
+
   if (addr != NULL)
     {
       addr->addr.in4.sin_family = AF_INET;
@@ -378,7 +386,7 @@ recv_socks_reply (socket_descriptor_t sd,
 	}
 
       /* store char in buffer */
-      if (len < (int)sizeof(buf))
+      if (len < (int)sizeof(buf) && len >= 0)
 	buf[len] = c;
       ++len;
     }
@@ -408,7 +416,7 @@ establish_socks_proxy_passthru (struct socks_proxy_info *p,
 			        const int port,         /* openvpn server port */
 			        volatile int *signal_received)
 {
-  char buf[128];
+  char buf[128] = {0};
   size_t len;
 
   if (!socks_handshake (p, sd, signal_received))

Places

File openvpn-2.3.x-fixed-multiple-low-severity-issues.patch of Package openvpn.4886

Places