From a functional point of view, the main improvement is that GetIP() now always prioritizes IPv6 over IPv4.
The previous implementation always returned an IPv4 address, unless not available: in such case it failed.
This means that now connections to hostnames should be established via IPv6 if available.
From a programmer point of view, getting rid of the insane wrappers is enough to justify a complete rewrite.
As an extra, several unrelated unused global variables are removed.
This works for all VPN protocols.
In SessionMain(): for DHCPDISCOVER and DHCPREQUEST frames, write the static IP address (which is retrieved from the user notes) in the SIADDR field of DHCPHEADER.
In VirtualDhcpServer(): for DHCPDISCOVER and DHCPREQUEST frames, read the static IP address from the SIADDR field of DHCPHEADER and assign it to the client.
If SecureNAT is enabled and the hostname of the server
is longer than 16characters, every NETBIOS name resolution
query triggers the buffer overflow. If the server was built
with stack protection, the process will be killed.
A race condition in the DHCP server caused it to offer the same IP address to multiple clients when they connected at the same time, because an offered IP address was considered free until the final step (DHCP_ACK).
This commit introduces a list to keep track of the pending leases created during DHCP_OFFER, so that an IP address is guaranteed to be offered to a single client.
- Hash() has been removed because it was ambiguous, Md5() and Sha0() are proper replacements.
- HMacMd5() and HMacSha1() now share a common implementation handled by the new Internal_HMac() function.
- NewMd() and MdProcess() now support plain hashing (without the key).
- NewMd(), SetMdKey() and MdProcess() now check the OpenSSL functions' return value and in case of failure a debug message is printed along with the error string, if available.
- SetMdKey()'s return value has been changed from void to bool, so that it's possible to know whether the function succeeded or not.
- MdProcess()' return value has been changed from void to UINT (unsigned int) and the function now returns the number of bytes written by HMAC_Final() or EVP_DigestFinal_ex().
When installing a new device driver of the Virtual Network Driver card, we changed the initial random MAC address from 00-AC-xx-xx-xx-xx to 5E-xx-xx-xx-xx-xx. This realizes the compliance with the local address bit of the MAC address rule.
Buffer overread in ParseL2TPPacket()
Memory corruption in IcmpParseResult
Missing bounds check in ParseUDP() can lead to invalid memory access
Out-of-bounds read in IPsec_PPP.c (unterminated string buffer)
Overlapping parameters to memcpy() via StrToIp6()
PACK ReadValue() crash vulnerability
Potential use of uninitialized memory via IPToInAddr6()
4 memory leaks. While the amount of leakage is very small per time, these bugs can finally cause process crash by out of memory. So these bugs must be fixed.
Memory leak in NnReadDnsRecord
Memory leak in RadiusLogin()
Memory leak via ParsePacketIPv4WithDummyMacHeader
Remote memory leak in OpenVPN server code
1 coding improvement. This is not a bug, however, I fixed the code to avoid furture misunderstanding.
RecvAll can return success on failure (leading to use of uninitialized memory)
Contributors for this bugfix:
- Max Planck Institute for Molecular Genetics
- Guido Vranken
Suppose there is a TCP SYN or SYN-ACK packet taking options as:
02 04 05 b4 01 01 04 02 01 03 03 04
which is
Options: (12 bytes)
>Maximum segment size: 1460 bytes
>No-Operation (NOP)
>No-Operation (NOP)
>TCP SACK Permitted Option: True
>No-Operation (NOP)
>Window scale: 4 (multiply by 16)
Then the original parse function only returns MSS 1460 while WSS is 0.
[src/Cedar/Virtual.c:2389] -> [src/Cedar/Virtual.c:2398]: (warning) Either the condition 'a==0' is redundant or there is possible null pointer dereference: a.
[src/Cedar/Virtual.c:4000] -> [src/Cedar/Virtual.c:4004]: (warning) Either the condition 'n==0' is redundant or there is possible null pointer dereference: n.
[src/Cedar/Virtual.c:4203] -> [src/Cedar/Virtual.c:4207]: (warning) Either the condition 'n==0' is redundant or there is possible null pointer dereference: n.
