diff options
Diffstat (limited to 'debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch')
-rw-r--r-- | debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch | 42 |
1 files changed, 0 insertions, 42 deletions
diff --git a/debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch b/debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch deleted file mode 100644 index 0c80ee0..0000000 --- a/debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch +++ /dev/null @@ -1,42 +0,0 @@ -From c5590a6821e37f3b29735f55eb0c2b9c0924138c Mon Sep 17 00:00:00 2001 -From: Steffan Karger <steffan.karger@fox-it.com> -Date: Thu, 20 Nov 2014 13:43:05 +0100 -Subject: [PATCH] Drop too-short control channel packets instead of asserting - out. - -This fixes a denial-of-service vulnerability where an authenticated client -could stop the server by triggering a server-side ASSERT(). - -OpenVPN would previously ASSERT() that control channel packets have a -payload of at least 4 bytes. An authenticated client could trigger this -assert by sending a too-short control channel packet to the server. - -Thanks to Dragana Damjanovic for reporting the issue. - -This bug has been assigned CVE-2014-8104. - -Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> -Acked-by: Gert Doering <gert@greenie.muc.de> -Message-Id: <1CED409804E2164C8104F9E623B08B9018803B0FE7@FOXDFT02.FOX.local> -Signed-off-by: Gert Doering <gert@greenie.muc.de> ---- - src/openvpn/ssl.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -Index: openvpn/src/openvpn/ssl.c -=================================================================== ---- openvpn.orig/src/openvpn/ssl.c 2014-12-01 16:09:43.031080162 +0100 -+++ openvpn/src/openvpn/ssl.c 2014-12-01 16:09:43.027080161 +0100 -@@ -2028,7 +2028,11 @@ - ASSERT (session->opt->key_method == 2); - - /* discard leading uint32 */ -- ASSERT (buf_advance (buf, 4)); -+ if (!buf_advance (buf, 4)) { -+ msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", -+ buf->len); -+ goto error; -+ } - - /* get key method */ - key_method_flags = buf_read_u8 (buf); |