Opened 7 years ago
Closed 6 years ago
#922 closed Bug / Defect (fixed)
signed integer overflow in event_timeout_trigger (src/openvpn/interval.c:54)
| Reported by: | geeknik | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | release 2.4.5 |
| Component: | Generic / unclassified | Version: | OpenVPN git master branch (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: | Steffan Karger |
Description
Compiled git f9ebfe1 with UBSan/ASan. The attached "configuration" file triggers a "signed integer overflow" in event_timeout_trigger (src/openvpn/interval.c:54).
./openvpn --config test00
Sat Jul 29 11:20:56 2017 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Sat Jul 29 11:20:56 2017 OpenVPN 2.5_git [git:master/f9ebfe1b5a011e55] x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 14 2017
Sat Jul 29 11:20:56 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Sat Jul 29 11:20:56 2017 * WARNING *: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION!
Sat Jul 29 11:20:56 2017 TUN/TAP device tun0 opened
Sat Jul 29 11:20:56 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Jul 29 11:20:56 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Sat Jul 29 11:20:56 2017 UDPv4 link remote: [AF_UNSPEC]
interval.c:54:37: runtime error: signed integer overflow: 1501327256 + 1000000000 cannot be represented in type 'int'
#0 0x5b578d in event_timeout_trigger /root/openvpn/src/openvpn/interval.c:54:37
#1 0x553b1a in check_inactivity_timeout /root/openvpn/src/openvpn/./forward-inline.h:134:12
#2 0x553b1a in process_coarse_timers /root/openvpn/src/openvpn/forward.c:564
#3 0x553b1a in check_coarse_timers_dowork /root/openvpn/src/openvpn/forward.c:618
#4 0x553b1a in check_coarse_timers /root/openvpn/src/openvpn/forward.c:636
#5 0x553b1a in pre_select /root/openvpn/src/openvpn/forward.c:1577
#6 0x65d381 in tunnel_point_to_point /root/openvpn/src/openvpn/openvpn.c:81:9
#7 0x65d381 in openvpn_main /root/openvpn/src/openvpn/openvpn.c:283
#8 0x65d381 in main /root/openvpn/src/openvpn/openvpn.c:366
#9 0x7ff44ad25b44 in libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
#10 0x421d6b in _start (/root/openvpn/src/openvpn/openvpn+0x421d6b)
SUMMARY: UndefinedBehaviorSanitizer?: undefined-behavior interval.c:54:37
Attachments (1)
Change History (4)
Changed 7 years ago by
| Attachment: | test000.gz added |
|---|
comment:1 Changed 7 years ago by
| Cc: | Steffan Karger added |
|---|---|
| Priority: | major → minor |
For the benefit of other readers, including the two line config here, uncompressed
dev tun inactive 1000000000
- and yeah, sounds like "exit after 31.7 years of inactivity" is something we should handle more gracefully :-) - we'll investigate.
@syzzer: this sounds like an opportunity for your magic overflow checks
comment:2 Changed 7 years ago by
actually this is likely to be time_t, which is 64 bit on some and 32 bit on other platforms, so "tricky"...
comment:3 Changed 6 years ago by
| Milestone: | → release 2.4.5 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
commit f158c0e1df13ae1b697cdc7f189ddd1575a0c1aa (master)
commit 6d16c87de38610b05ec768af28a76a9389791134 (release/2.4)
Author: Selva Nair
Date: Tue Mar 6 01:09:28 2018 -0500
Avoid overflow in wakeup time computation
... fixed in master and 2.4.6-to-come.
malformed config