Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
openvpn.23378
openvpn-CVE-2018-9336.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openvpn-CVE-2018-9336.patch of Package openvpn.23378
From 1394192b210cb3c6624a7419bcf3ff966742e79b Mon Sep 17 00:00:00 2001 From: Gert Doering <gert@greenie.muc.de> Date: Sat, 14 Apr 2018 09:26:17 +0200 Subject: [PATCH] Fix potential double-free() in Interactive Service (CVE-2018-9336) Malformed input data on the service pipe towards the OpenVPN interactive service (normally used by the OpenVPN GUI to request openvpn instances from the service) can result in a double free() in the error handling code. This usually only leads to a process crash (DoS by an unprivileged local account) but since it could possibly lead to memory corruption if happening while multiple other threads are active at the same time, CVE-2018-9336 has been assigned to acknowledge this risk. Fix by ensuring that sud->directory is set to NULL in GetStartUpData() for all error cases (thus not being free()ed in FreeStartupData()). Rewrite control flow to use explicit error label for error exit. Discovered and reported by Jacob Baines <jbaines@tenable.com>. CVE: 2018-9336 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Selva Nair <selva.nair@gmail.com> Message-Id: <20180414072617.25075-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/search?l=mid&q=20180414072617.25075-1-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de> --- src/openvpnserv/interactive.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) --- src/openvpnserv/interactive.c.orig +++ src/openvpnserv/interactive.c @@ -461,7 +461,7 @@ GetStartupData(HANDLE pipe, STARTUP_DATA { MsgToEventLog(M_SYSERR, TEXT("PeekNamedPipeAsync failed")); ReturnLastError(pipe, L"PeekNamedPipeAsync"); - goto out; + goto err; } size = bytes / sizeof(*data); @@ -470,7 +470,7 @@ GetStartupData(HANDLE pipe, STARTUP_DATA { MsgToEventLog(M_SYSERR, TEXT("malloc failed")); ReturnLastError(pipe, L"malloc"); - goto out; + goto err; } read = ReadPipeAsync(pipe, data, bytes, 1, &exit_event); @@ -478,14 +478,14 @@ GetStartupData(HANDLE pipe, STARTUP_DATA { MsgToEventLog(M_SYSERR, TEXT("ReadPipeAsync failed")); ReturnLastError(pipe, L"ReadPipeAsync"); - goto out; + goto err; } if (data[size - 1] != 0) { MsgToEventLog(M_ERR, TEXT("Startup data is not NULL terminated")); ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event); - goto out; + goto err; } sud->directory = data; @@ -495,7 +495,7 @@ GetStartupData(HANDLE pipe, STARTUP_DATA { MsgToEventLog(M_ERR, TEXT("Startup data ends at working directory")); ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event); - goto out; + goto err; } sud->options = sud->directory + len; @@ -505,16 +505,16 @@ GetStartupData(HANDLE pipe, STARTUP_DATA { MsgToEventLog(M_ERR, TEXT("Startup data ends at command line options")); ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event); - goto out; + goto err; } sud->std_input = sud->options + len; - data = NULL; /* don't free data */ - ret = TRUE; + return TRUE; -out: +err: + sud->directory = NULL; /* caller must not free() */ free(data); - return ret; + return FALSE; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor