From: Gianmarco De Gregori <[email protected]> The code previously read a 32-bit value from a uint8_t buffer using a direct cast and dereference. This can cause unaligned memory access and undefined behavior on architectures that do not support unaligned reads, potentially leading to a one-packet crash.
This patch replaces the unsafe cast with a safe memcpy-based read. Reported-By: Joshua Rogers <[email protected]> Found-By: ZeroPath (https://zeropath.com) Change-Id: Id0bb4c45d373437ab8dbaff7a311745f9b538cbf Signed-off-by: Gianmarco De Gregori <[email protected]> Acked-by: Frank Lichtenheld <[email protected]> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1348 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1348 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <[email protected]> diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 31134be..0653b219 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -209,7 +209,9 @@ /* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */ if (v2) { - uint32_t peer_id = ntohl(*(uint32_t *)ptr) & 0xFFFFFF; + uint32_t tmp; + memcpy(&tmp, ptr, sizeof(tmp)); + uint32_t peer_id = ntohl(tmp) & 0xFFFFFF; peer_id_disabled = (peer_id == MAX_PEER_ID); if (!peer_id_disabled && (peer_id < m->max_clients) && (m->instances[peer_id])) _______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
