From 16bde4776390ef76855a22e65d09b7b4936c389b Mon Sep 17 00:00:00 2001 From: Davide Beatrici Date: Sat, 26 Oct 2019 00:36:07 +0200 Subject: [PATCH] Proto_OpenVPN.c: fix segmentation fault in OvsProceccRecvPacket() OvsDecrypt() returns 0 when it fails, resulting in "size" rolling over with an end result of 4294967292. This commit fixes the issue by checking whether "size" is greater than sizeof(UINT) before performing the subtraction. --- src/Cedar/Proto_OpenVPN.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/Cedar/Proto_OpenVPN.c b/src/Cedar/Proto_OpenVPN.c index 9fb776f2..f8ddbee2 100644 --- a/src/Cedar/Proto_OpenVPN.c +++ b/src/Cedar/Proto_OpenVPN.c @@ -681,10 +681,12 @@ void OvsProceccRecvPacket(OPENVPN_SERVER *s, UDPPACKET *p) { // Decrypt size = OvsDecrypt(c->CipherDecrypt, c->MdRecv, c->IvRecv, data, recv_packet->Data, recv_packet->DataSize); - - // Seek buffer after the packet ID - data += sizeof(UINT); - size -= sizeof(UINT); + if (size > sizeof(UINT)) + { + // Seek buffer after the packet ID + data += sizeof(UINT); + size -= sizeof(UINT); + } } // Update of last communication time