Opened 2 years ago
Closed 2 years ago
#1439 closed Bug / Defect (notabug)
unsigned integer overflow in dhcp 154:36
| Reported by: | swirsz | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | alpha 2.4 |
| Component: | Generic / unclassified | Version: | OpenVPN git master branch (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | integer overflow |
| Cc: | tct |
Description
Crash discovered when fuzzing: fuzz_dhcp crash-ef4.txt
Input file https://www.wirsz.com/script/crash-ef4.txt
dhcp.c:154:36: runtime error: unsigned integer overflow: 22 - 268 cannot be represented in type 'unsigned long'
SUMMARY: UndefinedBehaviorSanitizer?: undefined-behavior dhcp.c:154:36 in
Executed crash-ef4.txt in 0 ms
UBSan compiled from Github repository: November 14, 2021
Change History (3)
comment:1 Changed 2 years ago by
| Cc: | tct added |
|---|
comment:3 Changed 2 years ago by
| Resolution: | → notabug |
|---|---|
| Status: | new → closed |
No reply for 4 months, I can't do anything about this.
Note: See
TracTickets for help on using
tickets.
The "crash-ef4.txt" file referenced there seems to be a binary, not a .txt file?
That said, I wonder which code base this refers to. In openvpn "master", line 154 is
in_addr_t dhcp_extract_router_msg(struct buffer *ipbuf) { struct dhcp_full *df = (struct dhcp_full *) BPTR(ipbuf); const int optlen = BLEN(ipbuf) - (sizeof(struct openvpn_iphdr) + sizeof(struct openvpn_udphdr) + sizeof(struct dhcp)); if (optlen >= 0and optlen is a signed int type, as is BLEN(ipbuf) - so this seems to be all well defined signed-integer arithmetics, with a subsequent check for "was BLEN() too short?".
What am I overlooking here? Why does it want to represent anything in an "unsigned long"?