This fixes a denial-of-service vulnerability where an authenticated client
could stop the server by triggering a server-side ASSERT().
OpenVPN would previously ASSERT() that control channel packets have a
payload of at least 4 bytes. An authenticated client could trigger this
assert by sending a too-short control channel packet to the server.
Thanks to Dragana Damjanovic for reporting the issue.
This bug has been assigned CVE-2014-8104.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1CED409804E2164C8104F9E623B08B9018803B0FE7@FOXDFT02.FOX.local>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c5590a6821e37f3b29735f55eb0c2b9c0924138c)
... | ... |
@@ -2035,7 +2035,11 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi |
2035 | 2035 |
ASSERT (session->opt->key_method == 2); |
2036 | 2036 |
|
2037 | 2037 |
/* discard leading uint32 */ |
2038 |
- ASSERT (buf_advance (buf, 4)); |
|
2038 |
+ if (!buf_advance (buf, 4)) { |
|
2039 |
+ msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", |
|
2040 |
+ buf->len); |
|
2041 |
+ goto error; |
|
2042 |
+ } |
|
2039 | 2043 |
|
2040 | 2044 |
/* get key method */ |
2041 | 2045 |
key_method_flags = buf_read_u8 (buf); |