debian/patches/CVE-2017-7478.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

From be66408610a52f81c9c895a8973958ead55a4e57 Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan.karger@fox-it.com>
Date: Tue, 9 May 2017 15:40:25 +0300
Subject: [PATCH] Don't assert out on receiving too-large control packets
 (CVE-2017-xxx)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Commit 3c1b19e0 changed the maximum size of accepted control channel
packets.  This was needed for crypto negotiation (which is needed for a
nice transition to a new default cipher), but exposed a DoS
vulnerability.  The vulnerability was found during the OpenVPN 2.4 code
audit by Quarkslab (commisioned by OSTIF).

To fix the issue, we should not ASSERT() on external input (in this case
the received packet size), but instead gracefully error out and drop the
invalid packet.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>

CVE-2017-7478

  Security
  --------
  - This release fixes a pre-authentication denial-of-service attack on both
    clients and servers.  By sending a too-large control packet, OpenVPN 2.4.0 or
    2.4.1 can be forced to hit an ASSERT() and stop the process.  If
    ``--tls-auth`` or ``--tls-crypt`` is used, only attackers that have the
    ``--tls-auth`` or ``--tls-crypt`` key can mount an attack. (CVE-2017-xxx)

---
 Changes.rst       | 8 ++++++++
 src/openvpn/ssl.c | 7 ++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

Index: openvpn-2.4.0/src/openvpn/ssl.c
===================================================================
--- openvpn-2.4.0.orig/src/openvpn/ssl.c
+++ openvpn-2.4.0/src/openvpn/ssl.c
@@ -3708,7 +3708,12 @@ tls_pre_decrypt(struct tls_multi *multi,
                                 /* Save incoming ciphertext packet to reliable buffer */
                                 struct buffer *in = reliable_get_buf(ks->rec_reliable);
                                 ASSERT(in);
-                                ASSERT(buf_copy(in, buf));
+                                if(!buf_copy(in, buf))
+                                {
+                                    msg(D_MULTI_DROPPED,
+                                        "Incoming control channel packet too big, dropping.");
+                                    goto error;
+                                }
                                 reliable_mark_active_incoming(ks->rec_reliable, in, id, op);
                             }