Opened 15 months ago

Closed 8 months ago

#1439 closed Bug / Defect (notabug)

unsigned integer overflow in dhcp 154:36

Reported by: swirsz Owned by:
Priority: minor Milestone: alpha 2.4
Component: Generic / unclassified Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: integer overflow
Cc: tct


Crash discovered when fuzzing: fuzz_dhcp crash-ef4.txt

Input file

dhcp.c:154:36: runtime error: unsigned integer overflow: 22 - 268 cannot be represented in type 'unsigned long'
SUMMARY: UndefinedBehaviorSanitizer?: undefined-behavior dhcp.c:154:36 in
Executed crash-ef4.txt in 0 ms

UBSan compiled from Github repository: November 14, 2021

Change History (3)

comment:1 Changed 14 months ago by tct

Cc: tct added

comment:2 Changed 12 months ago by Gert Döring

The "crash-ef4.txt" file referenced there seems to be a binary, not a .txt file?

That said, I wonder which code base this refers to. In openvpn "master", line 154 is

dhcp_extract_router_msg(struct buffer *ipbuf)
    struct dhcp_full *df = (struct dhcp_full *) BPTR(ipbuf);
    const int optlen = BLEN(ipbuf) - (sizeof(struct openvpn_iphdr) + sizeof(struct openvpn_udphdr) + sizeof(struct dhcp));
    if (optlen >= 0

and optlen is a signed int type, as is BLEN(ipbuf) - so this seems to be all well defined signed-integer arithmetics, with a subsequent check for "was BLEN() too short?".

What am I overlooking here? Why does it want to represent anything in an "unsigned long"?

Last edited 12 months ago by Gert Döring (previous) (diff)

comment:3 Changed 8 months ago by Gert Döring

Resolution: notabug
Status: newclosed

No reply for 4 months, I can't do anything about this.

Note: See TracTickets for help on using tickets.