Skip to content

Fix potential integer overflow in TapSharedSendPacket#167

Merged
lstipakov merged 1 commit intoOpenVPN:masterfrom
lstipakov:int-overflow
Mar 19, 2024
Merged

Fix potential integer overflow in TapSharedSendPacket#167
lstipakov merged 1 commit intoOpenVPN:masterfrom
lstipakov:int-overflow

Conversation

@lstipakov
Copy link
Member

@lstipakov lstipakov commented Mar 19, 2024

Following code:

unsigned int fullLength;
<..>
fullLength = PacketLength + PrefixLength;

could cause integer overflow, which will result in allocation of smaller size of memory, which later causes buffer overflow and a bug check.

Fix by checking overflow condition and fail the IRP in case of overflow.

CVE: 2024-1305

Reported-by: Vladimir Tokarev vtokarev@microsoft.com

@lstipakov
Fix potential integer overflow in TapSharedSendPacket
53b8c26 
Following code:

  unsigned int            fullLength;
  <..>
  fullLength = PacketLength + PrefixLength;

could cause integer overflow, which will result in allocation
of smaller size of memory, which later causes buffer overflow and
a bug check.

Fix by checking overflow condition and fail the IRP in case of
overflow.

CVE: 2024-1305

Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
@cron2
Copy link
Contributor

cron2 commented Mar 19, 2024

Looks good to me. ACK.

@lstipakov lstipakov merged commit 0cad866 into OpenVPN:master Mar 19, 2024
@lstipakov lstipakov deleted the int-overflow branch March 19, 2024 13:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lstipakov @cron2