From f4bbe476beedc502b30ed8478d28ead727c03d4b Mon Sep 17 00:00:00 2001
From: Daiyuu Nobori <dnobori.gitcommit@coe.ad.jp>
Date: Thu, 28 Sep 2023 19:08:40 +0900
Subject: [PATCH] Fix Vulnerability: CVE-2023-32275 TALOS-2023-1753 SoftEther
 VPN CtEnumCa () information disclosure vulnerability
 https://www.softether.org/9-about/News/904-SEVPN202301
 https://jvn.jp/en/jp/JVN64316789/

---
 src/Mayaqua/Encrypt.c  | 9 +++++++--
 src/Mayaqua/MayaType.h | 6 +-----
 src/Mayaqua/Memory.h   | 2 ++
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/Mayaqua/Encrypt.c b/src/Mayaqua/Encrypt.c
index b0535fc3..fed18bdb 100644
--- a/src/Mayaqua/Encrypt.c
+++ b/src/Mayaqua/Encrypt.c
@@ -712,7 +712,8 @@ UINT RsaPublicSize(K *k)
 // Hash a pointer to a 32-bit
 UINT HashPtrToUINT(void *p)
 {
-	UCHAR hash_data[MD5_SIZE];
+	UCHAR hash_data[SHA256_SIZE];
+	UCHAR hash_src[CANARY_RAND_SIZE + sizeof(void *)];
 	UINT ret;
 	// Validate arguments
 	if (p == NULL)
@@ -720,7 +721,11 @@ UINT HashPtrToUINT(void *p)
 		return 0;
 	}
 
-	Md5(hash_data, &p, sizeof(p));
+	Zero(hash_src, sizeof(hash_src));
+	Copy(hash_src + 0, GetCanaryRand(CANARY_RAND_ID_PTR_KEY_HASH), CANARY_RAND_SIZE);
+	Copy(hash_src + CANARY_RAND_SIZE, p, sizeof(void *));
+
+	Sha2_256(hash_data, hash_src, sizeof(hash_src));
 
 	Copy(&ret, hash_data, sizeof(ret));
 
diff --git a/src/Mayaqua/MayaType.h b/src/Mayaqua/MayaType.h
index 483fedad..73307cba 100644
--- a/src/Mayaqua/MayaType.h
+++ b/src/Mayaqua/MayaType.h
@@ -123,11 +123,7 @@ typedef int (COMPARE)(void *p1, void *p2);
 #define	GET_ABS(a)			((a) >= 0 ? (a) : -(a))
 
 // Convert the pointer to UINT
-#ifdef	CPU_64
-#define	POINTER_TO_KEY(p)		HashPtrToUINT(p)
-#else
-#define	POINTER_TO_KEY(p)		(UINT)(p)
-#endif
+#define	POINTER_TO_KEY(p)		(HashPtrToUINT(p))
 
 // Compare the pointer and UINT
 #define	COMPARE_POINTER_AND_KEY(p, i)	(POINTER_TO_KEY(p) == (i))
diff --git a/src/Mayaqua/Memory.h b/src/Mayaqua/Memory.h
index cb94a06d..49c9c5cd 100644
--- a/src/Mayaqua/Memory.h
+++ b/src/Mayaqua/Memory.h
@@ -378,6 +378,8 @@ bool AddStrToStrListDistinct(LIST *o, char *str);
 #define CANARY_RAND_ID_MEMTAG_MAGIC		0
 #define CANARY_RAND_SIZE				20
 
+#define CANARY_RAND_ID_PTR_KEY_HASH		1
+
 void InitCanaryRand();
 UCHAR *GetCanaryRand(UINT id);