mirror of
https://github.com/SoftEtherVPN/SoftEtherVPN.git
synced 2024-12-27 10:39:53 +03:00
Proto_OpenVPN.c: improve OvsProcessData(), fix out-of-bounds access found by Coverity
Coverity Scan detected an out-of-bounds access issue: OvsProcessData() checked whether the payload size was bigger than the size of the buffer, instead of checking whether the entire packet size (payload size + 2 bytes) was, resulting in an out-of-bounds access in case the payload size is bigger than 1998. This commit also improves the variable names, the comments and adds two Debug() lines.
This commit is contained in:
parent
7349c4b16a
commit
5d73cd878f
@ -95,45 +95,42 @@ bool OvsProcessData(void *param, TCP_RAW_DATA *received_data, FIFO *data_to_send
|
||||
while (true)
|
||||
{
|
||||
UDPPACKET *packet;
|
||||
UCHAR *packet_ptr;
|
||||
UINT packet_size, total_packet_size;
|
||||
FIFO *recv_fifo = received_data->Data;
|
||||
const UINT data_size = FifoSize(recv_fifo);
|
||||
USHORT payload_size, packet_size;
|
||||
FIFO *fifo = received_data->Data;
|
||||
const UINT fifo_size = FifoSize(fifo);
|
||||
|
||||
if (data_size < sizeof(USHORT))
|
||||
if (fifo_size < sizeof(USHORT))
|
||||
{
|
||||
// Corrupt data
|
||||
// Non-arrival
|
||||
break;
|
||||
}
|
||||
|
||||
packet_size = READ_USHORT(FifoPtr(recv_fifo));
|
||||
// The beginning of a packet contains the data size
|
||||
payload_size = READ_USHORT(FifoPtr(fifo));
|
||||
packet_size = payload_size + sizeof(USHORT);
|
||||
|
||||
if (packet_size == 0 || packet_size > sizeof(buf))
|
||||
if (payload_size == 0 || packet_size > sizeof(buf))
|
||||
{
|
||||
// Invalid packet size
|
||||
ret = false;
|
||||
Debug("OvsProcessData(): Invalid payload size: %u bytes\n", payload_size);
|
||||
break;
|
||||
}
|
||||
|
||||
total_packet_size = packet_size + sizeof(USHORT);
|
||||
|
||||
if (data_size < total_packet_size)
|
||||
if (fifo_size < packet_size)
|
||||
{
|
||||
// Corrupt data
|
||||
// Non-arrival
|
||||
break;
|
||||
}
|
||||
|
||||
if (ReadFifo(recv_fifo, buf, total_packet_size) != total_packet_size)
|
||||
if (ReadFifo(fifo, buf, packet_size) != packet_size)
|
||||
{
|
||||
// Mismatch
|
||||
ret = false;
|
||||
Debug("OvsProcessData(): ReadFifo() failed to read the packet\n");
|
||||
break;
|
||||
}
|
||||
|
||||
// Read one packet and put it in the list
|
||||
packet_ptr = buf + sizeof(USHORT);
|
||||
|
||||
packet = NewUdpPacket(&received_data->SrcIP, received_data->SrcPort, &received_data->DstIP, received_data->DstPort, Clone(packet_ptr, packet_size), packet_size);
|
||||
// Insert packet into the list
|
||||
packet = NewUdpPacket(&received_data->SrcIP, received_data->SrcPort, &received_data->DstIP, received_data->DstPort, Clone(buf + sizeof(USHORT), payload_size), payload_size);
|
||||
packet->Type = OPENVPN_PROTOCOL_TCP;
|
||||
Add(server->RecvPacketList, packet);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user