Opened 6 months ago

Last modified 3 months ago

#1439 new Bug / Defect

unsigned integer overflow in dhcp 154:36

Reported by: swirsz Owned by:
Priority: minor Milestone: alpha 2.4
Component: Generic / unclassified Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: integer overflow
Cc: tct

Description

Crash discovered when fuzzing: fuzz_dhcp crash-ef4.txt

Input file https://www.wirsz.com/script/crash-ef4.txt

dhcp.c:154:36: runtime error: unsigned integer overflow: 22 - 268 cannot be represented in type 'unsigned long'
SUMMARY: UndefinedBehaviorSanitizer?: undefined-behavior dhcp.c:154:36 in
Executed crash-ef4.txt in 0 ms

UBSan compiled from Github repository: November 14, 2021

Change History (2)

comment:1 Changed 6 months ago by tct

Cc: tct added

comment:2 Changed 3 months ago by Gert Döring

The "crash-ef4.txt" file referenced there seems to be a binary, not a .txt file?

That said, I wonder which code base this refers to. In openvpn "master", line 154 is

in_addr_t
dhcp_extract_router_msg(struct buffer *ipbuf)
{
    struct dhcp_full *df = (struct dhcp_full *) BPTR(ipbuf);
    const int optlen = BLEN(ipbuf) - (sizeof(struct openvpn_iphdr) + sizeof(struct openvpn_udphdr) + sizeof(struct dhcp));
 
    if (optlen >= 0

and optlen is a signed int type, as is BLEN(ipbuf) - so this seems to be all well defined signed-integer arithmetics, with a subsequent check for "was BLEN() too short?".

What am I overlooking here? Why does it want to represent anything in an "unsigned long"?

Last edited 3 months ago by Gert Döring (previous) (diff)
Note: See TracTickets for help on using tickets.