diff options
author | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2005-10-31 03:49:25 +0000 |
---|---|---|
committer | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2005-10-31 03:49:25 +0000 |
commit | 79df31c85ab06d24f9443e370160cc9c44b88b93 (patch) | |
tree | b3f92140b9c210485c2c0caad578c844791f3bcb | |
parent | Windows reliability changes: (diff) | |
download | openvpn-79df31c85ab06d24f9443e370160cc9c44b88b93.tar.xz |
svn merge -r 734:737 $SO/trunk/openvpn
Security fixes from 2.0.3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@740 e7ae566f-a301-0410-adde-c780ea21d3b5
-rw-r--r-- | ChangeLog | 19 | ||||
-rw-r--r-- | init.c | 8 | ||||
-rw-r--r-- | init.h | 2 | ||||
-rw-r--r-- | multi.c | 2 | ||||
-rw-r--r-- | openvpn.h | 9 | ||||
-rw-r--r-- | options.c | 2 |
6 files changed, 34 insertions, 8 deletions
@@ -5,6 +5,25 @@ $Id$ 2005.10.xx -- Version 2.1-beta5 +* Security fix -- Affects non-Windows OpenVPN clients of + version 2.0 or higher which connect to a malicious or + compromised server. A format string vulnerability + in the foreign_option function in options.c could + potentially allow a malicious or compromised server + to execute arbitrary code on the client. Only + non-Windows clients are affected. The vulnerability + only exists if (a) the client's TLS negotiation with + the server succeeds, (b) the server is malicious or + has been compromised such that it is configured to + push a maliciously crafted options string to the client, + and (c) the client indicates its willingness to accept + pushed options from the server by having "pull" or + "client" in its configuration file. +* Security fix -- Potential DoS vulnerability on the + server in TCP mode. If the TCP server accept() call + returns an error status, the resulting exception handler + may attempt to indirect through a NULL pointer, causing + a segfault. Affects all OpenVPN 2.0 versions. * Fix attempt of assertion at multi.c:1586 (note that this precise line number will vary across different versions of OpenVPN). @@ -2682,7 +2682,7 @@ inherit_context_child (struct context *dest, #endif /* context init */ - init_instance (dest, src->c2.es, CC_USR1_TO_HUP | CC_GC_FREE); + init_instance (dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP); if (IS_SIG (dest)) return; @@ -2756,6 +2756,9 @@ inherit_context_top (struct context *dest, void close_context (struct context *c, int sig, unsigned int flags) { + ASSERT (c); + ASSERT (c->sig); + if (sig >= 0) c->sig->signal_received = sig; @@ -2766,7 +2769,8 @@ close_context (struct context *c, int sig, unsigned int flags) c->sig->signal_received = SIGHUP; } - close_instance (c); + if (!(flags & CC_NO_CLOSE)) + close_instance (c); if (flags & CC_GC_FREE) context_gc_free (c); @@ -94,6 +94,8 @@ void inherit_context_top (struct context *dest, #define CC_GC_FREE (1<<0) #define CC_USR1_TO_HUP (1<<1) #define CC_HARD_USR1_TO_HUP (1<<2) +#define CC_NO_CLOSE (1<<3) + void close_context (struct context *c, int sig, unsigned int flags); struct context_buffers *init_context_buffers (const struct frame *frame); @@ -577,10 +577,10 @@ multi_create_instance (struct multi_context *m, const struct mroute_addr *real) generate_prefix (mi); } + mi->did_open_context = true; inherit_context_child (&mi->context, &m->top); if (IS_SIG (&mi->context)) goto err; - mi->did_open_context = true; mi->context.c2.context_auth = CAS_PENDING; @@ -398,10 +398,11 @@ struct context_2 in_addr_t push_ifconfig_remote_netmask; /* client authentication state */ -# define CAS_SUCCEEDED 0 -# define CAS_PENDING 1 -# define CAS_FAILED 2 -# define CAS_PARTIAL 3 /* at least one client-connect script/plugin +# define CAS_UNDEF 0 +# define CAS_SUCCEEDED 1 +# define CAS_PENDING 2 +# define CAS_FAILED 3 +# define CAS_PARTIAL 4 /* at least one client-connect script/plugin succeeded while a later one in the chain failed */ int context_auth; #endif @@ -2274,7 +2274,7 @@ foreign_option (struct options *o, char *argv[], int len, struct env_set *es) { if (!first) buf_printf (&value, " "); - buf_printf (&value, argv[i]); + buf_printf (&value, "%s", argv[i]); first = false; } } |