cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1314?usp=email )
Change subject: sitnl: set FD_CLOEXEC on socket to prevent abuse ...................................................................... sitnl: set FD_CLOEXEC on socket to prevent abuse Since OpenVPN spawns various child processes, it is important that sockets are closed after calling exec. The sitnl socket didn't have the right flag set, resulting in it surviving in, for example, connect/disconnect scripts and giving the latter a chance to abuse the socket. Ensure this doesn't happen by setting FD_CLOEXEC on this socket right after creation. Reported-by: Joshua Rogers <[email protected]> Found-by: ZeroPath (https://zeropath.com/) Change-Id: I54845bf4dd17d06cfc3b402f188795f74f4b1d3e Signed-off-by: Antonio Quartulli <[email protected]> Acked-by: Gert Doering <[email protected]> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1314 Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg33952.html Signed-off-by: Gert Doering <[email protected]> --- M CMakeLists.txt M src/openvpn/networking_sitnl.c M tests/unit_tests/openvpn/Makefile.am 3 files changed, 6 insertions(+), 0 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 5954a6e..bf754f3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -923,6 +923,7 @@ src/openvpn/crypto_openssl.c src/openvpn/crypto.c src/openvpn/crypto_epoch.c + src/openvpn/fdmisc.c src/openvpn/otime.c src/openvpn/packet_id.c ) diff --git a/src/openvpn/networking_sitnl.c b/src/openvpn/networking_sitnl.c index b3adb16..3e20b70 100644 --- a/src/openvpn/networking_sitnl.c +++ b/src/openvpn/networking_sitnl.c @@ -27,6 +27,7 @@ #include "dco.h" #include "errlevel.h" +#include "fdmisc.h" #include "buffer.h" #include "misc.h" #include "networking.h" @@ -181,6 +182,9 @@ return fd; } + /* set close on exec to avoid child processes access the socket */ + set_cloexec(fd); + if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, sizeof(sndbuf)) < 0) { msg(M_WARN | M_ERRNO, "%s: SO_SNDBUF", __func__); diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 997703a..0f13172 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -196,6 +196,7 @@ $(top_srcdir)/src/openvpn/crypto_epoch.c \ $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ $(top_srcdir)/src/openvpn/crypto_openssl.c \ + $(top_srcdir)/src/openvpn/fdmisc.c \ $(top_srcdir)/src/openvpn/otime.c \ $(top_srcdir)/src/openvpn/packet_id.c \ $(top_srcdir)/src/openvpn/platform.c -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1314?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I54845bf4dd17d06cfc3b402f188795f74f4b1d3e Gerrit-Change-Number: 1314 Gerrit-PatchSet: 5 Gerrit-Owner: ordex <[email protected]> Gerrit-Reviewer: cron2 <[email protected]> Gerrit-Reviewer: flichtenheld <[email protected]> Gerrit-Reviewer: plaisthos <[email protected]> Gerrit-CC: openvpn-devel <[email protected]>
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
