Opened 3 years ago

Closed 2 years ago

#922 closed Bug / Defect (fixed)

signed integer overflow in event_timeout_trigger (src/openvpn/interval.c:54)

Reported by: geeknik Owned by:
Priority: minor Milestone: release 2.4.5
Component: Generic / unclassified Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Steffan Karger

Description

Compiled git f9ebfe1 with UBSan/ASan. The attached "configuration" file triggers a "signed integer overflow" in event_timeout_trigger (src/openvpn/interval.c:54).

./openvpn --config test00

Sat Jul 29 11:20:56 2017 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Sat Jul 29 11:20:56 2017 OpenVPN 2.5_git [git:master/f9ebfe1b5a011e55] x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 14 2017
Sat Jul 29 11:20:56 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Sat Jul 29 11:20:56 2017 * WARNING *: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION!
Sat Jul 29 11:20:56 2017 TUN/TAP device tun0 opened
Sat Jul 29 11:20:56 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Jul 29 11:20:56 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Sat Jul 29 11:20:56 2017 UDPv4 link remote: [AF_UNSPEC]
interval.c:54:37: runtime error: signed integer overflow: 1501327256 + 1000000000 cannot be represented in type 'int'

#0 0x5b578d in event_timeout_trigger /root/openvpn/src/openvpn/interval.c:54:37
#1 0x553b1a in check_inactivity_timeout /root/openvpn/src/openvpn/./forward-inline.h:134:12
#2 0x553b1a in process_coarse_timers /root/openvpn/src/openvpn/forward.c:564
#3 0x553b1a in check_coarse_timers_dowork /root/openvpn/src/openvpn/forward.c:618
#4 0x553b1a in check_coarse_timers /root/openvpn/src/openvpn/forward.c:636
#5 0x553b1a in pre_select /root/openvpn/src/openvpn/forward.c:1577
#6 0x65d381 in tunnel_point_to_point /root/openvpn/src/openvpn/openvpn.c:81:9
#7 0x65d381 in openvpn_main /root/openvpn/src/openvpn/openvpn.c:283
#8 0x65d381 in main /root/openvpn/src/openvpn/openvpn.c:366
#9 0x7ff44ad25b44 in libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
#10 0x421d6b in _start (/root/openvpn/src/openvpn/openvpn+0x421d6b)

SUMMARY: UndefinedBehaviorSanitizer?: undefined-behavior interval.c:54:37

Attachments (1)

test000.gz (48 bytes) - added by geeknik 3 years ago.
malformed config

Download all attachments as: .zip

Change History (4)

Changed 3 years ago by geeknik

Attachment: test000.gz added

malformed config

comment:1 Changed 3 years ago by Gert Döring

Cc: Steffan Karger added
Priority: majorminor

For the benefit of other readers, including the two line config here, uncompressed

dev tun
inactive 1000000000
  • and yeah, sounds like "exit after 31.7 years of inactivity" is something we should handle more gracefully :-) - we'll investigate.

@syzzer: this sounds like an opportunity for your magic overflow checks

comment:2 Changed 3 years ago by Gert Döring

actually this is likely to be time_t, which is 64 bit on some and 32 bit on other platforms, so "tricky"...

comment:3 Changed 2 years ago by Gert Döring

Milestone: release 2.4.5
Resolution: fixed
Status: newclosed

commit f158c0e1df13ae1b697cdc7f189ddd1575a0c1aa (master)
commit 6d16c87de38610b05ec768af28a76a9389791134 (release/2.4)
Author: Selva Nair
Date: Tue Mar 6 01:09:28 2018 -0500

Avoid overflow in wakeup time computation

... fixed in master and 2.4.6-to-come.

Note: See TracTickets for help on using tickets.