Merge pull request #2263 from metalefty/freebsd-ci

CI: Switch FreeBSD CI from Cirrus CI to GitHub Actions

.cirrus.yml

@@ -1,25 +0,0 @@
-FreeBSD_task:
-  matrix:
-    env:
-      SSL: openssl
-      OPENSSL_ROOT_DIR: /usr/local
-    env:
-      SSL: openssl36
-      OPENSSL_ROOT_DIR: /usr/local
-    env:
-      # base openssl
-      SSL:
-  matrix:
-    freebsd_instance:
-      image_family: freebsd-14-3
-  prepare_script:
-    - pkg install -y pkgconf cmake git libsodium cpu_features $SSL
-    - git submodule update --init --recursive
-  configure_script:
-    - CMAKE_FLAGS="-DUSE_SYSTEM_CPU_FEATURES=1" CFLAGS="-I/usr/local/include/cpu_features" ./configure
-  build_script:
-    - make -j $(sysctl -n hw.ncpu || echo 4) -C build
-  test_script:
-    - ldd build/vpnserver
-    - .ci/memory-leak-test.sh
-    - .ci/vpntools-check.sh

.github/workflows/freebsd.yml

@@ -0,0 +1,39 @@
+name: FreeBSD
+
+on: [push, pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  build_and_test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - ssl: openssl # currently 3.0
+            openssl_root_dir: /usr/local
+          - ssl: openssl36
+            openssl_root_dir: /usr/local
+          - ssl: # base openssl
+            openssl_root_dir:
+    name: FreeBSD with ${{ matrix.ssl || 'base openssl' }}
+    env:
+      SSL: ${{ matrix.ssl }}
+      OPENSSL_ROOT_DIR: ${{ matrix.openssl_root_dir }}
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        submodules: true
+    - uses: vmactions/freebsd-vm@v1
+      with:
+        envs: 'OPENSSL_ROOT_DIR SSL'
+        prepare: |
+          pkg install -y $SSL pkgconf cmake git libsodium cpu_features
+        run: |
+          CMAKE_FLAGS="-DUSE_SYSTEM_CPU_FEATURES=1" CFLAGS="-I/usr/local/include/cpu_features" ./configure
+          make -j $(nproc || echo 4) -C build
+          ldd build/vpnserver
+          .ci/memory-leak-test.sh
+          .ci/vpntools-check.sh

src/Cedar/Proto_PPP.c

@@ -3615,6 +3615,8 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapSize)
 		dataBuffer = eap_packet->Tls.TlsDataWithLength.Data;
 		dataSize -= 4;
 		tlsLength = Endian32(eap_packet->Tls.TlsDataWithLength.TlsLength);
+		// Let's just clamp it to a safe size to avoid DoS (GHSA-q5g3-qhc6-pr3h)
+		tlsLength = MIN(tlsLength, PPP_MRU_MAX * 10);
 	}
 	/*Debug("=======RECV EAP-TLS PACKET DUMP=======\n");
 	for (i = 0; i < dataSize; i++)
@@ -3659,10 +3661,13 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapSize)
 			sizeLeft = GetMemSize(p->Eap_TlsCtx.CachedBufferRecv);
 			sizeLeft -= (UINT)(p->Eap_TlsCtx.CachedBufferRecvPntr - p->Eap_TlsCtx.CachedBufferRecv);
 
+			if (sizeLeft > 0)
+			{
 				Copy(p->Eap_TlsCtx.CachedBufferRecvPntr, dataBuffer, MIN(sizeLeft, dataSize));
 
 				p->Eap_TlsCtx.CachedBufferRecvPntr += MIN(sizeLeft, dataSize);
 			}
+		}
 
 		// If we got a cached buffer, we should feed the FIFOs via it
 		if (p->Eap_TlsCtx.CachedBufferRecv != NULL)
@@ -3783,6 +3788,8 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapSize)
 						}
 						AcUnlock(hub);
 						ReleaseHub(hub);
+						// Making sure the stale pntr is cleared and can't be reused (GHSA-7437-282p-7465)
+						hub = NULL;
 					}
 
 					if (found == false)
@@ -3790,8 +3797,6 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapSize)
 						PPP_PACKET* pack;
 						UINT identificator = p->Eap_PacketId;
 
-						ReleaseHub(hub);
-
 						PPPSetStatus(p, PPP_STATUS_AUTH_FAIL);
 
 						pack = ZeroMalloc(sizeof(PPP_PACKET));