AMajor/SoftEtherVPN
1
0
Fork 0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-22 17:39:53 +03:00
Code Releases Activity

Proto_OpenVPN.c: improve OvsProcessData(), fix out-of-bounds access found by Coverity

Browse Source 
Coverity Scan detected an out-of-bounds access issue: OvsProcessData() checked whether the payload size was bigger than the size of the buffer, instead of checking whether the entire packet size (payload size + 2 bytes) was, resulting in an out-of-bounds access in case the payload size is bigger than 1998.

This commit also improves the variable names, the comments and adds two Debug() lines.
This commit is contained in:
Davide Beatrici 2019-10-27 09:01:56 +01:00
parent 7349c4b16a
commit 5d73cd878f
1 changed files with 16 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
src/Cedar/Proto_OpenVPN.c
View File

@ -95,45 +95,42 @@ bool OvsProcessData(void *param, TCP_RAW_DATA *received_data, FIFO *data_to_send
while (true) while (true)
{ {
UDPPACKET *packet; UDPPACKET *packet;
UCHAR *packet_ptr; USHORT payload_size, packet_size;
UINT packet_size, total_packet_size; FIFO *fifo = received_data->Data;
FIFO *recv_fifo = received_data->Data; const UINT fifo_size = FifoSize(fifo);
const UINT data_size = FifoSize(recv_fifo);
if (data_size < sizeof(USHORT)) if (fifo_size < sizeof(USHORT))
{ {
// Corrupt data // Non-arrival
break; break;
} }
packet_size = READ_USHORT(FifoPtr(recv_fifo)); // The beginning of a packet contains the data size
payload_size = READ_USHORT(FifoPtr(fifo));
packet_size = payload_size + sizeof(USHORT);
if (packet_size == 0 || packet_size > sizeof(buf)) if (payload_size == 0 || packet_size > sizeof(buf))
{ {
// Invalid packet size
ret = false; ret = false;
Debug("OvsProcessData(): Invalid payload size: %u bytes\n", payload_size);
break; break;
} }
total_packet_size = packet_size + sizeof(USHORT); if (fifo_size < packet_size)
if (data_size < total_packet_size)
{ {
// Corrupt data // Non-arrival
break; break;
} }
if (ReadFifo(recv_fifo, buf, total_packet_size) != total_packet_size) if (ReadFifo(fifo, buf, packet_size) != packet_size)
{ {
// Mismatch
ret = false; ret = false;
Debug("OvsProcessData(): ReadFifo() failed to read the packet\n");
break; break;
} }
// Read one packet and put it in the list // Insert packet into the list
packet_ptr = buf + sizeof(USHORT); packet = NewUdpPacket(&received_data->SrcIP, received_data->SrcPort, &received_data->DstIP, received_data->DstPort, Clone(buf + sizeof(USHORT), payload_size), payload_size);
packet = NewUdpPacket(&received_data->SrcIP, received_data->SrcPort, &received_data->DstIP, received_data->DstPort, Clone(packet_ptr, packet_size), packet_size);
packet->Type = OPENVPN_PROTOCOL_TCP; packet->Type = OPENVPN_PROTOCOL_TCP;
Add(server->RecvPacketList, packet); Add(server->RecvPacketList, packet);
} }