On Fri, 2011-07-01 at 14:37 +0200, Pierre Crokaert wrote:
> Hello,
>
> This kind of error occurs with some HTTP proxy. This happens when the
> response from the server in phase 2 is longer than 128 bytes, in that
> case the response is truncated because we are only interrested by the
> beginning, but as it is still in base 64 format when it is truncated, it
> must be truncated at a multiple of 4 chars. Today it truncated one char
> too short and it results in a bad base64decode result and response is
> rejected in phase 3.
>
> This was reproduced and fixed on a Microsoft forefront proxy server.
>
> Here is the patch against current git head (dc2ccc825c69...aacd)
>
> @@ -519,7 +519,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p,
> {
> struct gc_arena gc = gc_new ();
> char buf[512];
> - char buf2[128];
> + char buf2[129]; /* this buffer is a zero terminated base 64 string So it
> has to be a multiple of 4 char */
> char get[80];
> int status;
> int nparms;
> @@ -642,7 +642,7 @@ establish_http_proxy_passthru (struct http_proxy_info *p,
>
> openvpn_snprintf (get, sizeof get, "%%*s NTLM %%%ds", (int)
> sizeof (buf2) - 1);
> nparms = sscanf (buf, get, buf2);
> - buf2[127] = 0; /* we only need the beginning - ensure it's
> null terminated. */
> + buf2[128] = 0; /* we only need the beginning - ensure it's
> null terminated. and multiple of 4 char*/
>
> /* check for "Proxy-Authenticate: NTLM TlRM..." */
> if (nparms == 1)
>
>
I dont know much about HTTP proxies, but:
- base64 is a multiple of 4
- code change is safe. There could have been an impact on buf2 at that
point [1] but buf2 being declared as "char buf2[128]" buffer overflow
should not happen
>From me it would be an ACK :)
Just to make it easier to other people reveiving the patch, it is
happening in proxy.c
[1]
http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn.git;a=blob;f=ntlm.c;h=4dfeed38909caa656b612dd1a553eb2ad35eaf9d;hb=HEAD#l245
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Openvpn-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
--
http://www.debuntu.org
