id summary reporter owner description type status priority milestone component version severity resolution keywords cc 368 --auth-user-pass does not null-terminate strings from console input via systemd-ask-password harzaf David Sommerseth "== Steps to Reproduce == * Linux distro with systemd (testing on Arch Linux x64) * OpenVPN 2.3.2 running as a client * --auth-user-pass (to read in from console; no file specified) * Enter a username of maximum length (USER_PASS_LEN in misc.h) * Enter any password * Observe in a debugger/printf that Openvpn has the username=username + password (because the username string is not null terminated) * This causes a problem accessing at least one VPN provider which uses usernames of length 128 when the binary has USER_PASS_LEN as 128. (Eg [https://cryptostorm.org/viewtopic.php?f=37&t=3907 Cryptostorm]) == Error == In console.c: {{{#!C get_console_input_systemd (const char *prompt, const bool echo, char *input, const int capacity) { ... CLEAR (*input); if (read (std_out, input, capacity) != 0) { chomp (input); ret = true; } ... } }}} The read() fills the entire input buffer, which is then no longer null-terminated string. == Fix == The ideal fix should: 1. Ensure the input is always null-terminated 2. Warn the user if the input is too long instead of silently using **wrong** username/password In console.c {{{#!C get_console_input_systemd (const char *prompt, const bool echo, char *input, const int capacity) { ssize_t bytes; ... CLEAR (*input); bytes = read (std_out, input, capacity); if (bytes == capacity) { /* Warn the user instead of silently truncating input */ msg (M_FATAL, ""Input too long for buffer."", prompt); } else if (bytes != 0) { chomp (input); ret = true; } ... } }}} " Bug / Defect closed major release 2.3.11 Generic / unclassified OpenVPN 2.3.2 (Community Ed) Not set (select this one, unless your'e a OpenVPN developer) fixed