1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-26 03:19:52 +03:00

src/Cedar/Proto_OpenVPN.c: fix denial of service found by Cisco Talos

specially crafted network packet lead to buffer overrun and process
crash. working exploit was provided by Cisco Talos team.

An integer underflow vulnerability exists in the vpnserver
OvsProcessData functionality of SoftEther VPN 5.01.9674 and 5.02. A
specially-crafted network packet can lead to denial of service. An
attacker can send a malicious packet to trigger this vulnerability.

The versions below were either tested or verified to be vulnerable by
Talos or confirmed to be vulnerable by the vendor.

SoftEther VPN 5.01.9674
SoftEther VPN 5.02
While 5.01.9674 is a development version, it is distributed at the time
of writing by Ubuntu and other Debian-based distributions.
This commit is contained in:
Ilya Shipitsin 2023-04-16 23:06:30 +02:00
parent 22c602f630
commit d2e673a47d

View File

@ -147,7 +147,7 @@ bool OvsProcessData(void *param, TCP_RAW_DATA *in, FIFO *out)
payload_size = READ_USHORT(FifoPtr(fifo)); payload_size = READ_USHORT(FifoPtr(fifo));
packet_size = payload_size + sizeof(USHORT); packet_size = payload_size + sizeof(USHORT);
if (payload_size == 0 || packet_size > sizeof(buf)) if (payload_size == 0 || payload_size > (sizeof(buf) - sizeof(USHORT)))
{ {
ret = false; ret = false;
Debug("OvsProcessData(): Invalid payload size: %u bytes\n", payload_size); Debug("OvsProcessData(): Invalid payload size: %u bytes\n", payload_size);