From: Selva Nair <selva.n...@gmail.com>
- If only 1 byte is read from the interactive service client pipe, that
evaluates to zero wide characters and subsequent check for NUL
termination in the data buffer segfaults.
Fix: reject clients that send less than a complete wide character.
Signed-off-by: Selva Nair <selva.n...@gmail.com>
---
src/openvpnserv/interactive.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index f3be113..0d162e8 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -466,6 +466,13 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud)
}
size = bytes / sizeof(*data);
+ if (size == 0)
+ {
+ MsgToEventLog(M_SYSERR, TEXT("malformed startup data: 1 byte
received"));
+ ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1,
&exit_event);
+ goto out;
+ }
+
data = malloc(bytes);
if (data == NULL)
{
--
2.6.2
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
