Opened 2 years ago
Closed 2 years ago
#1439 closed Bug / Defect (notabug)
unsigned integer overflow in dhcp 154:36
Reported by: | swirsz | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | alpha 2.4 |
Component: | Generic / unclassified | Version: | OpenVPN git master branch (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | integer overflow |
Cc: | tct |
Description
Crash discovered when fuzzing: fuzz_dhcp crash-ef4.txt
Input file https://www.wirsz.com/script/crash-ef4.txt
dhcp.c:154:36: runtime error: unsigned integer overflow: 22 - 268 cannot be represented in type 'unsigned long'
SUMMARY: UndefinedBehaviorSanitizer?: undefined-behavior dhcp.c:154:36 in
Executed crash-ef4.txt in 0 ms
UBSan compiled from Github repository: November 14, 2021
Change History (3)
comment:1 Changed 2 years ago by
Cc: | tct added |
---|
comment:3 Changed 2 years ago by
Resolution: | → notabug |
---|---|
Status: | new → closed |
No reply for 4 months, I can't do anything about this.
Note: See
TracTickets for help on using
tickets.
The "crash-ef4.txt" file referenced there seems to be a binary, not a .txt file?
That said, I wonder which code base this refers to. In openvpn "master", line 154 is
and optlen is a signed int type, as is BLEN(ipbuf) - so this seems to be all well defined signed-integer arithmetics, with a subsequent check for "was BLEN() too short?".
What am I overlooking here? Why does it want to represent anything in an "unsigned long"?