blob: e6ed4844ce0beb545ade78e0058089d31d7043ed (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
From 940e5206c4c1dfa44da5585f0d99e9b34338d234 Mon Sep 17 00:00:00 2001
From: Graham Northup <graham@whereto.com>
Date: Mon, 17 Jun 2024 11:54:17 -0400
Subject: [PATCH] Fix CVE-2024-28820
An attacker who can control the challenge/response password field could, with a
valid LDAP username, pass a string with more than 14 colons into this field,
causing a buffer overflow. This happens before the number of tokens is checked
for validity below.
This commit ensures that the loop bails before attempting to write past the end
of tokenIndexes; as of the currently-published protocol, any response with more
than 15 fields is certainly invalid (and will be rejected below).
---
src/openvpn-cr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn-cr.c b/src/openvpn-cr.c
index 7151e79..6ab75b9 100644
--- a/src/openvpn-cr.c
+++ b/src/openvpn-cr.c
@@ -29,7 +29,7 @@ int extract_openvpn_cr(const char *response, openvpn_response *result, char **er
tokenIndexes[0] = response;
int tokenCnt = 1;
const char *p;
- for (p = response; *p; ++p) {
+ for (p = response; *p && tokenCnt < 15; ++p) {
if (*p == ':')
tokenIndexes[tokenCnt++] = p + 1;
}
|