Drop too-short control channel packets instead of asserting out.

This fixes a denial-of-service vulnerability where an authenticated client could stop the server by triggering a server-side ASSERT(). OpenVPN would previously ASSERT() that control channel packets have a payload of at least 4 bytes. An authenticated client could trigger this assert by sending a too-short control channel packet to the server. Thanks to Dragana Damjanovic for reporting the issue. This bug has been assigned CVE-2014-8104. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1CED409804E2164C8104F9E623B08B9018803B0FE7@FOXDFT02.FOX.local> Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit c5590a6821e37f3b29735f55eb0c2b9c0924138c)
2025-05-09 05:31:05 +08:00 · 2014-11-20 13:43:05 +01:00 · 2014-11-20 13:43:05 +01:00 · 1be49401a3
commit 1be49401a3
parent 12158e5a92
1 changed files with 5 additions and 1 deletions
--- a/ssl.c
+++ b/ssl.c
@ -3751,7 +3751,11 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi
  ALLOC_ARRAY_CLEAR_GC (options, char, TLS_OPTIONS_LEN, &gc);
 		  
  /* discard leading uint32 */
-  ASSERT (buf_advance (buf, 4));
+  if (!buf_advance (buf, 4)) {
+    msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).",
+	buf->len);
+    goto error;
+  }

  /* get key method */
  key_method_flags = buf_read_u8 (buf);