1 files changed, 55 insertions, 0 deletions

diff --git a/debian/patches/CVE-2017-7478.patch b/debian/patches/CVE-2017-7478.patch
new file mode 100644
index 0000000..e301cf1
--- /dev/null
+++ b/debian/patches/CVE-2017-7478.patch
@@ -0,0 +1,55 @@
+From be66408610a52f81c9c895a8973958ead55a4e57 Mon Sep 17 00:00:00 2001
+From: Steffan Karger <steffan.karger@fox-it.com>
+Date: Tue, 9 May 2017 15:40:25 +0300
+Subject: [PATCH] Don't assert out on receiving too-large control packets
+ (CVE-2017-xxx)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Commit 3c1b19e0 changed the maximum size of accepted control channel
+packets.  This was needed for crypto negotiation (which is needed for a
+nice transition to a new default cipher), but exposed a DoS
+vulnerability.  The vulnerability was found during the OpenVPN 2.4 code
+audit by Quarkslab (commisioned by OSTIF).
+
+To fix the issue, we should not ASSERT() on external input (in this case
+the received packet size), but instead gracefully error out and drop the
+invalid packet.
+
+Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
+Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
+
+CVE-2017-7478
+
+  Security
+  --------
+  - This release fixes a pre-authentication denial-of-service attack on both
+    clients and servers.  By sending a too-large control packet, OpenVPN 2.4.0 or
+    2.4.1 can be forced to hit an ASSERT() and stop the process.  If
+    ``--tls-auth`` or ``--tls-crypt`` is used, only attackers that have the
+    ``--tls-auth`` or ``--tls-crypt`` key can mount an attack. (CVE-2017-xxx)
+
+---
+ Changes.rst       | 8 ++++++++
+ src/openvpn/ssl.c | 7 ++++++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+Index: openvpn-2.4.0/src/openvpn/ssl.c
+===================================================================
+--- openvpn-2.4.0.orig/src/openvpn/ssl.c
++++ openvpn-2.4.0/src/openvpn/ssl.c
+@@ -3708,7 +3708,12 @@ tls_pre_decrypt(struct tls_multi *multi,
+                                 /* Save incoming ciphertext packet to reliable buffer */
+                                 struct buffer *in = reliable_get_buf(ks->rec_reliable);
+                                 ASSERT(in);
+-                                ASSERT(buf_copy(in, buf));
++                                if(!buf_copy(in, buf))
++                                {
++                                    msg(D_MULTI_DROPPED,
++                                        "Incoming control channel packet too big, dropping.");
++                                    goto error;
++                                }
+                                 reliable_mark_active_incoming(ks->rec_reliable, in, id, op);
+                             }
+