File 0005-Don-t-assert-out-on-receiving-too-large-control-pack.patch of Package openvpn.15874

From feb35ee5cac605edddd6e9dc62941e2c53f96fb3 Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan.karger@fox-it.com>
Date: Thu, 11 May 2017 11:00:57 +0200
Subject: [PATCH] Don't assert out on receiving too-large control packets
 (CVE-2017-7478)

Commit 358f513c changed the maximum size of accepted control channel
packets.  This was needed for crypto negotiation (which is needed for a
nice transition to a new default cipher), but exposed a DoS
vulnerability.  The vulnerability was found during the OpenVPN 2.4 code
audit by Quarkslab (commisioned by OSTIF).

To fix the issue, we should not ASSERT() on external input (in this case
the received packet size), but instead gracefully error out and drop the
invalid packet.

CVE: 2017-7478
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1494493257-8125-1-git-send-email-steffan.karger@fox-it.com>
URL: http://www.mail-archive.com/search?l=mid&q=1494493257-8125-1-git-send-email-steffan.karger@fox-it.com
Signed-off-by: David Sommerseth <davids@openvpn.net>
---
 Changes.rst       | 6 ++++++
 src/openvpn/ssl.c | 7 ++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index c52a0e4f..e704b73e 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -3225,7 +3225,12 @@ tls_pre_decrypt (struct tls_multi *multi,
 			    /* Save incoming ciphertext packet to reliable buffer */
 			    struct buffer *in = reliable_get_buf (ks->rec_reliable);
 			    ASSERT (in);
-			    ASSERT (buf_copy (in, buf));
+			    if (!buf_copy (in, buf))
+			      {
+				msg (D_MULTI_DROPPED,
+				     "Incoming control channel packet too big, dropping.");
+				goto error;
+			      }
 			    reliable_mark_active_incoming (ks->rec_reliable, in, id, op);
 			  }
 
-- 
2.12.2