mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2025-04-19 04:26:43 +02:00
30 lines
1.2 KiB
Diff
30 lines
1.2 KiB
Diff
From 940e5206c4c1dfa44da5585f0d99e9b34338d234 Mon Sep 17 00:00:00 2001
|
|
From: Graham Northup <graham@whereto.com>
|
|
Date: Mon, 17 Jun 2024 11:54:17 -0400
|
|
Subject: [PATCH] Fix CVE-2024-28820
|
|
|
|
An attacker who can control the challenge/response password field could, with a
|
|
valid LDAP username, pass a string with more than 14 colons into this field,
|
|
causing a buffer overflow. This happens before the number of tokens is checked
|
|
for validity below.
|
|
|
|
This commit ensures that the loop bails before attempting to write past the end
|
|
of tokenIndexes; as of the currently-published protocol, any response with more
|
|
than 15 fields is certainly invalid (and will be rejected below).
|
|
---
|
|
src/openvpn-cr.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/openvpn-cr.c b/src/openvpn-cr.c
|
|
index 7151e79..6ab75b9 100644
|
|
--- a/src/openvpn-cr.c
|
|
+++ b/src/openvpn-cr.c
|
|
@@ -29,7 +29,7 @@ int extract_openvpn_cr(const char *response, openvpn_response *result, char **er
|
|
tokenIndexes[0] = response;
|
|
int tokenCnt = 1;
|
|
const char *p;
|
|
- for (p = response; *p; ++p) {
|
|
+ for (p = response; *p && tokenCnt < 15; ++p) {
|
|
if (*p == ':')
|
|
tokenIndexes[tokenCnt++] = p + 1;
|
|
}
|