Ticket #894: 0001-If-vsnprintf-fails-set-the-first-element-of-the-outp.patch

File 0001-If-vsnprintf-fails-set-the-first-element-of-the-outp.patch, 5.5 KB (added by gvranken, 4 years ago)
  • src/openvpn/buffer.c

    From 6b2f9fce848f8129f29b3e3e2b0318eafaf36754 Mon Sep 17 00:00:00 2001
    From: Guido Vranken <guidovranken@gmail.com>
    Date: Tue, 23 May 2017 17:23:43 +0200
    Subject: [PATCH] If vsnprintf fails, set the first element of the output
     buffer to zero, effectively making it a valid string of length 0, to ensure
     that string operations on the output buffer do not read uninitialized data
    
    ---
     src/openvpn/buffer.c      |  8 ++++++++
     src/openvpn/error.c       |  9 +++++++--
     src/openvpn/pkcs11.c      |  5 ++++-
     src/openvpn/pool.c        |  5 ++++-
     src/openvpn/push.c        |  2 +-
     src/openvpn/route.c       | 10 ++++++++--
     src/openvpn/ssl_mbedtls.c |  7 +++++--
     7 files changed, 37 insertions(+), 9 deletions(-)
    
    diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c
    index 7e46387..c253611 100644
    a b buf_printf(struct buffer *buf, const char *format, ...) 
    237237            stat = vsnprintf((char *)ptr, cap, format, arglist);
    238238            va_end(arglist);
    239239            *(buf->data + buf->capacity - 1) = 0; /* windows vsnprintf needs this */
     240            if (stat < 0)
     241            {
     242                *ptr = 0;
     243            }
    240244            buf->len += (int) strlen((char *)ptr);
    241245            if (stat >= 0 && stat < cap)
    242246            {
    openvpn_snprintf(char *str, size_t size, const char *format, ...) 
    284288        va_start(arglist, format);
    285289        len = vsnprintf(str, size, format, arglist);
    286290        va_end(arglist);
     291        if (len < 0)
     292        {
     293            *str = 0;
     294        }
    287295        str[size - 1] = 0;
    288296    }
    289297    return (len >= 0 && len < size);
  • src/openvpn/error.c

    diff --git a/src/openvpn/error.c b/src/openvpn/error.c
    index dbff81d..1447efe 100644
    a b x_msg_va(const unsigned int flags, const char *format, va_list arglist) 
    230230    char *m1;
    231231    char *m2;
    232232    char *tmp;
    233     int e;
     233    int e, ret;
    234234    const char *prefix;
    235235    const char *prefix_sep;
    236236
    x_msg_va(const unsigned int flags, const char *format, va_list arglist) 
    262262    m1 = (char *) gc_malloc(ERR_BUF_SIZE, false, &gc);
    263263    m2 = (char *) gc_malloc(ERR_BUF_SIZE, false, &gc);
    264264
    265     vsnprintf(m1, ERR_BUF_SIZE, format, arglist);
     265    ret = vsnprintf(m1, ERR_BUF_SIZE, format, arglist);
    266266    m1[ERR_BUF_SIZE - 1] = 0; /* windows vsnprintf needs this */
    267267
     268    if (ret < 0)
     269    {
     270        *m1 = 0;
     271    }
     272
    268273    if ((flags & M_ERRNO) && e)
    269274    {
    270275        openvpn_snprintf(m2, ERR_BUF_SIZE, "%s: %s (errno=%d)",
  • src/openvpn/pkcs11.c

    diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c
    index 3e494e5..a7300f4 100644
    a b _pkcs11_openvpn_log( 
    178178
    179179    (void)global_data;
    180180
    181     vsnprintf(Buffer, sizeof(Buffer), szFormat, args);
     181    if (vsnprintf(Buffer, sizeof(Buffer), szFormat, args) < 0)
     182    {
     183        Buffer[0] = 0;
     184    }
    182185    Buffer[sizeof(Buffer)-1] = 0;
    183186
    184187    msg(_pkcs11_msg_pkcs112openvpn(flags), "%s", Buffer);
  • src/openvpn/pool.c

    diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c
    index 9543a9d..625980c 100644
    a b ifconfig_pool_test(in_addr_t start, in_addr_t end) 
    601601        ifconfig_pool_handle h;
    602602        in_addr_t local, remote;
    603603        char buf[256];
    604         snprintf(buf, sizeof(buf), "common-name-%d", i+24);
     604        if (snprintf(buf, sizeof(buf), "common-name-%d", i+24) < 0)
     605        {
     606            buf[0] = 0;
     607        }
    605608#ifdef DUP_CN
    606609        cn = NULL;
    607610#else
  • src/openvpn/push.c

    diff --git a/src/openvpn/push.c b/src/openvpn/push.c
    index bcef0ef..9db8f3e 100644
    a b push_option_fmt(struct gc_arena *gc, struct push_list *push_list, 
    583583    va_start(arglist, format);
    584584    len = vsnprintf(tmp, sizeof(tmp), format, arglist);
    585585    va_end(arglist);
    586     if (len > sizeof(tmp)-1)
     586    if (len < 0 || len > sizeof(tmp)-1)
    587587    {
    588588        return false;
    589589    }
  • src/openvpn/route.c

    diff --git a/src/openvpn/route.c b/src/openvpn/route.c
    index 33cdc0b..9e3ae33 100644
    a b add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flag 
    18891889    {
    18901890        int len = strlen(gateway) + 1 + strlen(r6->iface)+1;
    18911891        char *tmp = gc_malloc( len, true, &gc );
    1892         snprintf( tmp, len, "%s%%%s", gateway, r6->iface );
     1892        if (snprintf( tmp, len, "%s%%%s", gateway, r6->iface ) < )
     1893        {
     1894            *tmp = 0;
     1895        }
    18931896        gateway = tmp;
    18941897    }
    18951898#endif
    delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, unsigned 
    23482351    {
    23492352        int len = strlen(gateway) + 1 + strlen(r6->iface)+1;
    23502353        char *tmp = gc_malloc( len, true, &gc );
    2351         snprintf( tmp, len, "%s%%%s", gateway, r6->iface );
     2354        if (snprintf( tmp, len, "%s%%%s", gateway, r6->iface ) < 0)
     2355        {
     2356            *tmp = 0;
     2357        }
    23522358        gateway = tmp;
    23532359    }
    23542360#endif
  • src/openvpn/ssl_mbedtls.c

    diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
    index ba8dadf..6664141 100644
    a b get_ssl_library_version(void) 
    13381338{
    13391339    static char mbedtls_version[30];
    13401340    unsigned int pv = mbedtls_version_get_number();
    1341     sprintf( mbedtls_version, "mbed TLS %d.%d.%d",
    1342              (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
     1341    if (sprintf( mbedtls_version, "mbed TLS %d.%d.%d",
     1342             (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff ) < 0)
     1343    {
     1344        mbedtls_version[0] = 0;
     1345    }
    13431346    return mbedtls_version;
    13441347}
    13451348