From c5590a6821e37f3b29735f55eb0c2b9c0924138c Mon Sep 17 00:00:00 2001 From: Steffan Karger Date: Thu, 20 Nov 2014 13:43:05 +0100 Subject: [PATCH] Drop too-short control channel packets instead of asserting out. This fixes a denial-of-service vulnerability where an authenticated client could stop the server by triggering a server-side ASSERT(). OpenVPN would previously ASSERT() that control channel packets have a payload of at least 4 bytes. An authenticated client could trigger this assert by sending a too-short control channel packet to the server. Thanks to Dragana Damjanovic for reporting the issue. This bug has been assigned CVE-2014-8104. Signed-off-by: Steffan Karger Acked-by: Gert Doering Message-Id: <1CED409804E2164C8104F9E623B08B9018803B0FE7@FOXDFT02.FOX.local> Signed-off-by: Gert Doering --- src/openvpn/ssl.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) Index: openvpn/src/openvpn/ssl.c =================================================================== --- openvpn.orig/src/openvpn/ssl.c 2014-12-01 16:09:43.031080162 +0100 +++ openvpn/src/openvpn/ssl.c 2014-12-01 16:09:43.027080161 +0100 @@ -2028,7 +2028,11 @@ ASSERT (session->opt->key_method == 2); /* discard leading uint32 */ - ASSERT (buf_advance (buf, 4)); + if (!buf_advance (buf, 4)) { + msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", + buf->len); + goto error; + } /* get key method */ key_method_flags = buf_read_u8 (buf);