From c49e462ed1e7df813bc14022896bb26fa75546de Mon Sep 17 00:00:00 2001 From: Daiyuu Nobori Date: Thu, 28 Sep 2023 18:26:17 +0900 Subject: [PATCH] Fix Vulnerability: CVE-2023-22325 TALOS-2023-1736 SoftEther VPN DCRegister DDNS_RPC_MAX_RECV_SIZE denial of service vulnerability https://www.softether.org/9-about/News/904-SEVPN202301 https://jvn.jp/en/jp/JVN64316789/ --- src/Cedar/DDNS.h | 2 +- src/Mayaqua/Memory.c | 4 ++++ src/Mayaqua/Network.c | 4 +++- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/Cedar/DDNS.h b/src/Cedar/DDNS.h index 0775766f..c8fa0207 100644 --- a/src/Cedar/DDNS.h +++ b/src/Cedar/DDNS.h @@ -43,7 +43,7 @@ #define DDNS_URL2_V4_ALT "http://get-my-ip.ddns.uxcom.jp/ddns/getmyip.ashx" #define DDNS_URL2_V6_ALT "http://get-my-ip-v6.ddns.uxcom.jp/ddns/getmyip.ashx" -#define DDNS_RPC_MAX_RECV_SIZE DYN32(DDNS_RPC_MAX_RECV_SIZE, (128 * 1024 * 1024)) +#define DDNS_RPC_MAX_RECV_SIZE DYN32(DDNS_RPC_MAX_RECV_SIZE, (38 * 1024 * 1024)) // Connection Timeout #define DDNS_CONNECT_TIMEOUT DYN32(DDNS_CONNECT_TIMEOUT, (15 * 1000)) diff --git a/src/Mayaqua/Memory.c b/src/Mayaqua/Memory.c index 96ff994a..aa793d70 100644 --- a/src/Mayaqua/Memory.c +++ b/src/Mayaqua/Memory.c @@ -3114,6 +3114,10 @@ void AdjustBufSize(BUF *b, UINT new_size) while (b->SizeReserved < new_size) { + if (b->SizeReserved > 0x7FFFFFFF) + { + AbortExitEx("AdjustBufSize(): too large buffer size"); + } b->SizeReserved = b->SizeReserved * 2; } b->Buf = ReAlloc(b->Buf, b->SizeReserved); diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 04aebdea..b170d130 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -1191,7 +1191,9 @@ void RUDPProcess_NatT_Recv(RUDP_STACK *r, UDPPACKET *udp) bool is_ok = PackGetBool(p, "ok"); UINT64 tran_id = PackGetInt64(p, "tran_id"); - ExtractAndApplyDynList(p); + // This ExtractAndApplyDynList() calling was removed because it is not actually used and could be abused by + // illegal UDP packets that spoof the source IP address. 2023-6-14 Daiyuu Nobori + // ExtractAndApplyDynList(p); if (r->ServerMode) {