[Openvpn-devel] [S] Change in openvpn[master]: ssl_ncp: Fix length check in mutate_ncp_cipher_list

flichtenheld (Code Review) Fri, 30 Jan 2026 08:12:09 -0800

Attention is currently required from: plaisthos.

Hello plaisthos,


I'd like you to do a code review.
Please visit

    http://gerrit.openvpn.net/c/openvpn/+/1503?usp=email

to review the following change.


Change subject: ssl_ncp: Fix length check in mutate_ncp_cipher_list
......................................................................

ssl_ncp: Fix length check in mutate_ncp_cipher_list

* Make it more readable by removing a level of negation
* Fix an off-by-one error. It accepted one char fewer than
  allowed.
* Slightly improve the UT.

Change-Id: Ib0d2b9520e4a77a9f4bf70ce092f76ca73608537
Signed-off-by: Frank Lichtenheld <[email protected]>
---
M src/openvpn/ssl_ncp.c
M tests/unit_tests/openvpn/test_ncp.c
2 files changed, 18 insertions(+), 14 deletions(-)



  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/03/1503/1

diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index 500e09d..fdac6925 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -92,11 +92,6 @@
     }
 }

-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wsign-compare"
-#endif
-
 char *
 mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
 {
@@ -168,7 +163,7 @@
             }

             /* Ensure buffer has capacity for cipher name + : + \0 */
-            if (!(buf_forward_capacity(&new_list) > strlen(ovpn_cipher_name) + 
2))
+            if (buf_forward_capacity(&new_list) < 
(int)strlen(ovpn_cipher_name) + 2)
             {
                 msg(M_WARN, "Length of --data-ciphers is over the "
                             "limit of 127 chars");
@@ -207,10 +202,6 @@
     o->ncp_ciphers = ncp_ciphers;
 }

-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic pop
-#endif
-
 bool
 tls_item_in_cipher_list(const char *item, const char *list)
 {
diff --git a/tests/unit_tests/openvpn/test_ncp.c 
b/tests/unit_tests/openvpn/test_ncp.c
index 9f569a7..52a41ee 100644
--- a/tests/unit_tests/openvpn/test_ncp.c
+++ b/tests/unit_tests/openvpn/test_ncp.c
@@ -123,10 +123,23 @@
     assert_ptr_equal(mutate_ncp_cipher_list("AES-256-GCM:vollbit", &gc), NULL);
     assert_ptr_equal(mutate_ncp_cipher_list("", &gc), NULL);

-    
assert_ptr_equal(mutate_ncp_cipher_list("ChaCha20-Poly1305:ChaCha20-Poly1305:ChaCha20-Poly1305:"
-                                            
"ChaCha20-Poly1305:ChaCha20-Poly1305:ChaCha20-Poly1305:"
-                                            "ChaCha20-Poly1305",
-                                            &gc),
+    const char long_string[MAX_NCP_CIPHERS_LENGTH] =
+        "CHACHA20-POLY1305:CHACHA20-POLY1305:CHACHA20-POLY1305:"
+        "CHACHA20-POLY1305:CHACHA20-POLY1305:CHACHA20-POLY1305:"
+        "CHACHA20-POLY1305";
+    const char longer_string[MAX_NCP_CIPHERS_LENGTH + 1] =
+        "CHACHA20-POLY1305:CHACHA20-POLY1305:CHACHA20-POLY1305:"
+        "CHACHA20-POLY1305:CHACHA20-POLY1305:CHACHA20-POLY1305:"
+        "CHACHA20-POLY1305:";
+    const char longest_string[] =
+        "CHACHA20-POLY1305:CHACHA20-POLY1305:CHACHA20-POLY1305:"
+        "CHACHA20-POLY1305:CHACHA20-POLY1305:CHACHA20-POLY1305:"
+        "CHACHA20-POLY1305:CHACHA20-POLY1305";
+    assert_string_equal(mutate_ncp_cipher_list(long_string, &gc),
+                        long_string);
+    assert_string_equal(mutate_ncp_cipher_list(longer_string, &gc),
+                        long_string);
+    assert_ptr_equal(mutate_ncp_cipher_list(longest_string, &gc),
                      NULL);

 #ifdef ENABLE_CRYPTO_OPENSSL

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1503?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings?usp=email

Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ib0d2b9520e4a77a9f4bf70ce092f76ca73608537
Gerrit-Change-Number: 1503
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>

_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [S] Change in openvpn[master]: ssl_ncp: Fix length check in mutate_ncp_cipher_list

Reply via email to