[Openvpn-devel] [S] Change in openvpn[master]: Disable DCO if proxy is set via management
cron2 has uploaded a new patch set (#2) to the change originally created by
stipa. ( http://gerrit.openvpn.net/c/openvpn/+/543?usp=email )
The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld
Change subject: Disable DCO if proxy is set via management
..
Disable DCO if proxy is set via management
Commit
45a1cb2a ("Disable DCO if proxy is set via management")
attempted to disable DCO when proxy is set via management interface. However,
at least on Windows this doesn't work, since:
- setting tuntap_options->disable_dco to true is not enough to disable DCO
- at this point it is a bit too late, since we've already done DCO-specific
adjustments
Since proxy can be set via management only if --management-query-proxy is
specified, the better way is to add a check to dco_check_startup_option().
Github: fixes OpenVPN/openvpn#522
Change-Id: I16d6a9fefa317d7d4a195e786618328445bdbca8
Signed-off-by: Lev Stipakov
Acked-by: Frank Lichtenheld
Message-Id: <20240318181744.20625-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28415.html
Signed-off-by: Gert Doering
---
M src/openvpn/dco.c
M src/openvpn/init.c
2 files changed, 6 insertions(+), 6 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/43/543/2
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index d7c9d48..78243b1 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -387,6 +387,12 @@
return false;
}
+if (o->management_flags & MF_QUERY_PROXY)
+{
+msg(msglevel, "Note: --management-query-proxy disables data channel
offload.");
+return false;
+}
+
/* now that all options have been confirmed to be supported, check
* if DCO is truly available on the system
*/
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 6209fa8..f2ce926 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -221,12 +221,6 @@
}
else if (p[2] && p[3])
{
-if (dco_enabled(&c->options))
-{
-msg(M_INFO, "Proxy set via management, disabling Data Channel
Offload.");
-c->options.tuntap_options.disable_dco = true;
-}
-
if (streq(p[1], "HTTP"))
{
struct http_proxy_options *ho;
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/543?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I16d6a9fefa317d7d4a195e786618328445bdbca8
Gerrit-Change-Number: 543
Gerrit-PatchSet: 2
Gerrit-Owner: stipa
Gerrit-Reviewer: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Disable DCO if proxy is set via management
cron2 has submitted this change. (
http://gerrit.openvpn.net/c/openvpn/+/543?usp=email )
Change subject: Disable DCO if proxy is set via management
..
Disable DCO if proxy is set via management
Commit
45a1cb2a ("Disable DCO if proxy is set via management")
attempted to disable DCO when proxy is set via management interface. However,
at least on Windows this doesn't work, since:
- setting tuntap_options->disable_dco to true is not enough to disable DCO
- at this point it is a bit too late, since we've already done DCO-specific
adjustments
Since proxy can be set via management only if --management-query-proxy is
specified, the better way is to add a check to dco_check_startup_option().
Github: fixes OpenVPN/openvpn#522
Change-Id: I16d6a9fefa317d7d4a195e786618328445bdbca8
Signed-off-by: Lev Stipakov
Acked-by: Frank Lichtenheld
Message-Id: <20240318181744.20625-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28415.html
Signed-off-by: Gert Doering
---
M src/openvpn/dco.c
M src/openvpn/init.c
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index d7c9d48..78243b1 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -387,6 +387,12 @@
return false;
}
+if (o->management_flags & MF_QUERY_PROXY)
+{
+msg(msglevel, "Note: --management-query-proxy disables data channel
offload.");
+return false;
+}
+
/* now that all options have been confirmed to be supported, check
* if DCO is truly available on the system
*/
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 6209fa8..f2ce926 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -221,12 +221,6 @@
}
else if (p[2] && p[3])
{
-if (dco_enabled(&c->options))
-{
-msg(M_INFO, "Proxy set via management, disabling Data Channel
Offload.");
-c->options.tuntap_options.disable_dco = true;
-}
-
if (streq(p[1], "HTTP"))
{
struct http_proxy_options *ho;
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/543?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I16d6a9fefa317d7d4a195e786618328445bdbca8
Gerrit-Change-Number: 543
Gerrit-PatchSet: 2
Gerrit-Owner: stipa
Gerrit-Reviewer: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Disable DCO if proxy is set via management
Straight and to the point :-) Minimally tested with a linux t_client setup that uses DCO and proxy (but no --managment-query-proxy). Your patch has been applied to the master and release/2.6 branch (bugfix). commit fd6b8395f6cee8a6c28f335ec25ed6db11f7 (master) commit 462fed53c7a5f21c07dafa4910765efe56d7402d (release/2.6) Author: Lev Stipakov Date: Mon Mar 18 19:17:44 2024 +0100 Disable DCO if proxy is set via management Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld Message-Id: <20240318181744.20625-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28415.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: interactive.c: Fix potential stack overflow issue
As for the two previous windows/CVE patches, this patch was sent "with ACK included" to the openvpn-devel@ list because it was developed under embargo (CVE), and reviewed and ACKed in a closed group. I have verified that this patch is identical to the "v2" version that Heiko and the original reporter saw and ACKed. The patch looks larger than the actual code change, because to do the size check the union typedef needs to move outside the function where it was "local" before. The actual check is very straightforward - "if there is more data in the pipe than can fit into a pipe_message_t, log an error and close this thread" (thus, abandon the process on the other end that pretends to be openvpn.exe but is misbehaving). In itself, this bug is annoying, but can not be directly exploited (because you cannot "just talk to this pipe", but you need to be openvpn.exe from the install directory). Combined with other potential flaws that give an attacker the opportunity to swap the openvpn.exe binary or get a malicious plugin loaded, this could end up being a local privilege escalation to SYSTEM. No exploit is known so far - this was found by code inspection for missing bounds checks. I have test compiled this on MinGW and GHA, but did not actually run it. Your patch has been applied to the master and release/2.6 branch (security relevant bugfix). A direct cherrypick to 2.5 fails due to "sufficiently different code and data structures" so I've asked Lev to send a 2.5 version which I could review-and-ACK then. commit 989b22cb6e007fd1addcfaf7d12f4fec9fbc9639 (master) commit 9b2693feff9c49b9485cf94797c1c3502259dbe1 (release/2.6) Author: Lev Stipakov Date: Tue Mar 19 17:27:11 2024 +0200 interactive.c: Fix potential stack overflow issue Signed-off-by: Lev Stipakov Acked-by: Heiko Hund Message-Id: <20240319152803.1801-2-...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28420.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: interactive.c: Fix potential stack overflow issue
As for the two previous windows/CVE patches, this patch was sent "with ACK included" to the openvpn-devel@ list because it was developed under embargo (CVE), and reviewed and ACKed in a closed group. I have verified that this patch is identical to the "v2" version that Heiko and the original reporter saw and ACKed. The patch looks larger than the actual code change, because to do the size check the union typedef needs to move outside the function where it was "local" before. The actual check is very straightforward - "if there is more data in the pipe than can fit into a pipe_message_t, log an error and close this thread" (thus, abandon the process on the other end that pretends to be openvpn.exe but is misbehaving). In itself, this bug is annoying, but can not be directly exploited (because you cannot "just talk to this pipe", but you need to be openvpn.exe from the install directory). Combined with other potential flaws that give an attacker the opportunity to swap the openvpn.exe binary or get a malicious plugin loaded, this could end up being a local privilege escalation to SYSTEM. No exploit is known so far - this was found by code inspection for missing bounds checks. I have test compiled this on MinGW and GHA, but did not actually run it. Your patch has been applied to the master and release/2.6 branch (security relevant bugfix). A direct cherrypick to 2.5 fails due to "sufficiently different code and data structures" so I've asked Lev to send a 2.5 version which I could review-and-ACK then. commit 989b22cb6e007fd1addcfaf7d12f4fec9fbc9639 (master) commit 9b2693feff9c49b9485cf94797c1c3502259dbe1 (release/2.6) Author: Lev Stipakov Date: Tue Mar 19 17:27:11 2024 +0200 interactive.c: Fix potential stack overflow issue Signed-off-by: Lev Stipakov Acked-by: Heiko Hund Message-Id: <20240319152803.1801-2-...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28420.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: interactive.c: disable remote access to the service pipe
As for the "plugin loading", this patch was sent "with ACK included" to the openvpn-devel@ list because it was developed under embargo (CVE), and reviewed and ACKed in a closed group. I have verified that this patch is identical to the that Heiko and the original reporter saw and ACKed. It's not very clear if there is a real attack angle here, but generally speaking this is a local process which only the GUI running on the same machine should be speaking to, so we do not want arbitrary machines in the network to be able to connect to its pipe and "try things". I have test compiled this on MinGW and GHA, but did not actually run it. Your patch has been applied to the master, release/2.6 and release/2.5 branch (security relevant bugfix). commit 2c1de0f0803360c0a6408f754066bd3a6fb28237 (master) commit a95e665041466ec7d4ca6dbf89d22c7950e9ef26 (release/2.6) commit e0775c042c7908a9b315da8092b436d03abea08a (release/2.5) Author: Lev Stipakov Date: Tue Mar 19 17:16:07 2024 +0200 interactive.c: disable remote access to the service pipe Signed-off-by: Lev Stipakov Acked-by: Heiko Hund Message-Id: <20240319151723.936-2-...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28419.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: GHA: general update March 2024
cron2 has submitted this change. (
http://gerrit.openvpn.net/c/openvpn/+/544?usp=email )
Change subject: GHA: general update March 2024
..
GHA: general update March 2024
- Update to Node 20 versions of actions to avoid warnings
- Update to current vcpkg
- Update mbedTLS and LibreSSL to latest releases
Change-Id: I1ad6a0b1323ce0872f4a3299c5a9f18a982e0126
Signed-off-by: Frank Lichtenheld
Acked-by: Arne Schwabe
Message-Id: <20240319154456.2967716-1-fr...@lichtenheld.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28422.html
Signed-off-by: Gert Doering
---
M .github/workflows/build.yaml
M .github/workflows/coverity-scan.yml
2 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index bc937e5..f771f5a 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -13,7 +13,7 @@
- name: Install dependencies
run: sudo apt update && sudo apt install -y uncrustify
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
with:
path: openvpn
- name: Show uncrustify version
@@ -27,7 +27,7 @@
- name: Show changes on standard output
run: git diff
working-directory: openvpn
- - uses: actions/upload-artifact@v3
+ - uses: actions/upload-artifact@v4
with:
name: uncrustify-changes.patch
path: 'openvpn/uncrustify-changes.patch'
@@ -49,12 +49,12 @@
- name: Install dependencies
run: sudo apt update && sudo apt install -y mingw-w64 unzip cmake
ninja-build build-essential wget python3-docutils man2html-base
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
- name: Restore from cache and install vcpkg
uses: lukka/run-vcpkg@v11
with:
- vcpkgGitCommitId: '1ba9a2591f15af5900f2ce2b3e2bf31771e3ac48'
+ vcpkgGitCommitId: 8d3649ba34aab36914ddd897958599aa0a91b08e
vcpkgJsonGlob: '**/mingw/vcpkg.json'
- name: Run CMake with vcpkg.json manifest
@@ -64,7 +64,7 @@
buildPreset: mingw-${{ matrix.arch }}
buildPresetAdditionalArgs: "['--config Debug']"
- - uses: actions/upload-artifact@v3
+ - uses: actions/upload-artifact@v4
with:
name: openvpn-mingw-${{ matrix.arch }}
path: |
@@ -72,7 +72,7 @@
${{ github.workspace }}/out/build/mingw/${{ matrix.arch
}}/Debug/*.dll
!${{ github.workspace }}/out/build/mingw/${{ matrix.arch
}}/Debug/test_*.exe
- - uses: actions/upload-artifact@v3
+ - uses: actions/upload-artifact@v4
with:
name: openvpn-mingw-${{ matrix.arch }}-tests
path: |
@@ -91,9 +91,9 @@
name: "mingw unittest ${{ matrix.test }} - ${{ matrix.arch }} - OSSL"
steps:
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
- name: Retrieve mingw unittest
-uses: actions/download-artifact@v3
+uses: actions/download-artifact@v4
with:
name: openvpn-mingw-${{ matrix.arch }}-tests
path: unittests
@@ -159,7 +159,7 @@
- name: Install dependencies
run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev
liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev
python3-docutils libtool automake autoconf ${SSLPKG} ${PKCS11PKG}
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
- name: autoconf
run: autoreconf -fvi
- name: configure
@@ -186,7 +186,7 @@
- name: Install dependencies
run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev
liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html clang
libcmocka-dev python3-docutils libtool automake autoconf libmbedtls-dev
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
- name: autoconf
run: autoreconf -fvi
- name: configure
@@ -235,7 +235,7 @@
- name: Install dependencies
run: brew install openssl@1.1 openssl@3 lzo lz4 man2html cmocka
libtool automake autoconf libressl
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
- name: autoconf
run: autoreconf -fvi
- name: configure
@@ -257,7 +257,7 @@
runs-on: windows-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
- uses: lukka/get-cmake@latest
- name: Install rst2html
@@ -266,7 +266,7 @@
- name: Restore artifacts, or setup vcpkg (do not install any package)
uses: lukka/run-vcpkg@v11
with:
- vcpkgGitCommitId: '1ba9a2591f15af5900f2ce2b3e2
[Openvpn-devel] [S] Change in openvpn[master]: GHA: general update March 2024
cron2 has uploaded a new patch set (#2) to the change originally created by
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/544?usp=email )
The following approvals got outdated and were removed:
Code-Review+2 by plaisthos
Change subject: GHA: general update March 2024
..
GHA: general update March 2024
- Update to Node 20 versions of actions to avoid warnings
- Update to current vcpkg
- Update mbedTLS and LibreSSL to latest releases
Change-Id: I1ad6a0b1323ce0872f4a3299c5a9f18a982e0126
Signed-off-by: Frank Lichtenheld
Acked-by: Arne Schwabe
Message-Id: <20240319154456.2967716-1-fr...@lichtenheld.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28422.html
Signed-off-by: Gert Doering
---
M .github/workflows/build.yaml
M .github/workflows/coverity-scan.yml
2 files changed, 23 insertions(+), 23 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/44/544/2
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index bc937e5..f771f5a 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -13,7 +13,7 @@
- name: Install dependencies
run: sudo apt update && sudo apt install -y uncrustify
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
with:
path: openvpn
- name: Show uncrustify version
@@ -27,7 +27,7 @@
- name: Show changes on standard output
run: git diff
working-directory: openvpn
- - uses: actions/upload-artifact@v3
+ - uses: actions/upload-artifact@v4
with:
name: uncrustify-changes.patch
path: 'openvpn/uncrustify-changes.patch'
@@ -49,12 +49,12 @@
- name: Install dependencies
run: sudo apt update && sudo apt install -y mingw-w64 unzip cmake
ninja-build build-essential wget python3-docutils man2html-base
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
- name: Restore from cache and install vcpkg
uses: lukka/run-vcpkg@v11
with:
- vcpkgGitCommitId: '1ba9a2591f15af5900f2ce2b3e2bf31771e3ac48'
+ vcpkgGitCommitId: 8d3649ba34aab36914ddd897958599aa0a91b08e
vcpkgJsonGlob: '**/mingw/vcpkg.json'
- name: Run CMake with vcpkg.json manifest
@@ -64,7 +64,7 @@
buildPreset: mingw-${{ matrix.arch }}
buildPresetAdditionalArgs: "['--config Debug']"
- - uses: actions/upload-artifact@v3
+ - uses: actions/upload-artifact@v4
with:
name: openvpn-mingw-${{ matrix.arch }}
path: |
@@ -72,7 +72,7 @@
${{ github.workspace }}/out/build/mingw/${{ matrix.arch
}}/Debug/*.dll
!${{ github.workspace }}/out/build/mingw/${{ matrix.arch
}}/Debug/test_*.exe
- - uses: actions/upload-artifact@v3
+ - uses: actions/upload-artifact@v4
with:
name: openvpn-mingw-${{ matrix.arch }}-tests
path: |
@@ -91,9 +91,9 @@
name: "mingw unittest ${{ matrix.test }} - ${{ matrix.arch }} - OSSL"
steps:
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
- name: Retrieve mingw unittest
-uses: actions/download-artifact@v3
+uses: actions/download-artifact@v4
with:
name: openvpn-mingw-${{ matrix.arch }}-tests
path: unittests
@@ -159,7 +159,7 @@
- name: Install dependencies
run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev
liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev
python3-docutils libtool automake autoconf ${SSLPKG} ${PKCS11PKG}
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
- name: autoconf
run: autoreconf -fvi
- name: configure
@@ -186,7 +186,7 @@
- name: Install dependencies
run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev
liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html clang
libcmocka-dev python3-docutils libtool automake autoconf libmbedtls-dev
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
- name: autoconf
run: autoreconf -fvi
- name: configure
@@ -235,7 +235,7 @@
- name: Install dependencies
run: brew install openssl@1.1 openssl@3 lzo lz4 man2html cmocka
libtool automake autoconf libressl
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
- name: autoconf
run: autoreconf -fvi
- name: configure
@@ -257,7 +257,7 @@
runs-on: windows-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
- uses: lukka/get-cmake@latest
- name: Install rs
[Openvpn-devel] [PATCH applied] Re: GHA: general update March 2024
Tested on my GH repo. Works (except as noted for ubuntu/ASAN). Your patch has been applied to the master and release/2.6 branch. (Two merge conflicts, one related to "there is no checkout for mingw-unittests in 2.6 (yet)" and one to "no mbedtls3 tests") commit 36ff5cdb45183c13b0cb084b288b237ad55345cd (master) commit 5afc89ab747cfc8ad6b391f17dca61661e9b9df3 (release/2.6) Author: Frank Lichtenheld Date: Tue Mar 19 16:44:56 2024 +0100 GHA: general update March 2024 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20240319154456.2967716-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28422.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: win32: Enforce loading of plugins from a trusted directory
Thanks for that. This patch was sent "with ACK included" to the openvpn-devel@ list because it was developed under embargo (CVE), and reviewed and ACKed in a closed group. I have verified that this patch is identical to the "v4 one" that Selva and the original reporter saw and ACKed. This is related to plugin loading on windows only. We have discussed the topic of "restricting plugin loading on other platforms" but it's more complex to tackle (it starts with "there is no central registry to put restrictions into", but goes on to "on unix, openvpn runs as root anyway, so we expect this to be done by admins who spend some thought on what scripts and plugin they call, and from which paths") - so we haven't done anything there yet. I have test built this on MinGW/Ubuntu, just for completeness, and via GHA. Haven't tested the result myself (no plugin setup on windows). (I do have a few gripes, but these are more cosmetical - like "make get_openvpn_reg_value() static", and "wrap the long if() condition at the '&&', not in the middle of the function call" - but these are all not important for the functionality) Your patch has been applied to the master, release/2.6 and release/2.5 branch (security relevant bugfix). commit aaea545d8a940f761898d736b68bcb067d503b1d (master) commit 05d321ef980734478a86c5241dad7ba26a748a2f (release/2.6) commit 30bddb1a5426523ef1d61c8a5df2c613ba2a47d3 (release/2.5) Author: Lev Stipakov Date: Tue Mar 19 15:53:45 2024 +0200 win32: Enforce loading of plugins from a trusted directory Signed-off-by: Lev Stipakov Acked-by: Selva Nair Message-Id: <20240319135355.1279-2-...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28416.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] GHA: general update March 2024
- Update to Node 20 versions of actions to avoid warnings
- Update to current vcpkg
- Update mbedTLS and LibreSSL to latest releases
Change-Id: I1ad6a0b1323ce0872f4a3299c5a9f18a982e0126
Signed-off-by: Frank Lichtenheld
Acked-by: Arne Schwabe
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/544
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Arne Schwabe
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index bc937e5..f771f5a 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -13,7 +13,7 @@
- name: Install dependencies
run: sudo apt update && sudo apt install -y uncrustify
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
with:
path: openvpn
- name: Show uncrustify version
@@ -27,7 +27,7 @@
- name: Show changes on standard output
run: git diff
working-directory: openvpn
- - uses: actions/upload-artifact@v3
+ - uses: actions/upload-artifact@v4
with:
name: uncrustify-changes.patch
path: 'openvpn/uncrustify-changes.patch'
@@ -49,12 +49,12 @@
- name: Install dependencies
run: sudo apt update && sudo apt install -y mingw-w64 unzip cmake
ninja-build build-essential wget python3-docutils man2html-base
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
- name: Restore from cache and install vcpkg
uses: lukka/run-vcpkg@v11
with:
- vcpkgGitCommitId: '1ba9a2591f15af5900f2ce2b3e2bf31771e3ac48'
+ vcpkgGitCommitId: 8d3649ba34aab36914ddd897958599aa0a91b08e
vcpkgJsonGlob: '**/mingw/vcpkg.json'
- name: Run CMake with vcpkg.json manifest
@@ -64,7 +64,7 @@
buildPreset: mingw-${{ matrix.arch }}
buildPresetAdditionalArgs: "['--config Debug']"
- - uses: actions/upload-artifact@v3
+ - uses: actions/upload-artifact@v4
with:
name: openvpn-mingw-${{ matrix.arch }}
path: |
@@ -72,7 +72,7 @@
${{ github.workspace }}/out/build/mingw/${{ matrix.arch
}}/Debug/*.dll
!${{ github.workspace }}/out/build/mingw/${{ matrix.arch
}}/Debug/test_*.exe
- - uses: actions/upload-artifact@v3
+ - uses: actions/upload-artifact@v4
with:
name: openvpn-mingw-${{ matrix.arch }}-tests
path: |
@@ -91,9 +91,9 @@
name: "mingw unittest ${{ matrix.test }} - ${{ matrix.arch }} - OSSL"
steps:
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
- name: Retrieve mingw unittest
-uses: actions/download-artifact@v3
+uses: actions/download-artifact@v4
with:
name: openvpn-mingw-${{ matrix.arch }}-tests
path: unittests
@@ -159,7 +159,7 @@
- name: Install dependencies
run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev
liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev
python3-docutils libtool automake autoconf ${SSLPKG} ${PKCS11PKG}
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
- name: autoconf
run: autoreconf -fvi
- name: configure
@@ -186,7 +186,7 @@
- name: Install dependencies
run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev
liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html clang
libcmocka-dev python3-docutils libtool automake autoconf libmbedtls-dev
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
- name: autoconf
run: autoreconf -fvi
- name: configure
@@ -235,7 +235,7 @@
- name: Install dependencies
run: brew install openssl@1.1 openssl@3 lzo lz4 man2html cmocka
libtool automake autoconf libressl
- name: Checkout OpenVPN
-uses: actions/checkout@v3
+uses: actions/checkout@v4
- name: autoconf
run: autoreconf -fvi
- name: configure
@@ -257,7 +257,7 @@
runs-on: windows-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
- uses: lukka/get-cmake@latest
- name: Install rst2html
@@ -266,7 +266,7 @@
- name: Restore artifacts, or setup vcpkg (do not install any package)
uses: lukka/run-vcpkg@v11
with:
- vcpkgGitCommitId: '1ba9a2591f15af5900f2ce2b3e2bf31771e3ac48'
+ vcpkgGitCommitId: 8d3649ba34aab36914ddd897958599aa0a91b08e
vcpkgJsonGlob: '**/windows/vcpkg.json'
- name: Run CMake with vcpkg.json manifest (NO TESTS)
@@ -285,7 +285,7 @@
testPreset: win-${{ ma
[Openvpn-devel] [S] Change in openvpn[master]: GHA: general update March 2024
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/544?usp=email ) Change subject: GHA: general update March 2024 .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/544?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1ad6a0b1323ce0872f4a3299c5a9f18a982e0126 Gerrit-Change-Number: 544 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 19 Mar 2024 15:38:16 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] interactive.c: Fix potential stack overflow issue
When reading message from the pipe, we first peek the pipe to get the size
of the message waiting to be read and then read the message. A compromised
OpenVPN process could send an excessively large message, which would result
in a stack-allocated message buffer overflow.
To address this, we terminate the misbehaving process if the peeked message
size exceeds the maximum allowable size.
CVE: 2024-27459
Microsoft case number: 85932
Reported-by: Vladimir Tokarev
Change-Id: Ib5743cba0741ea11f9ee62c4978b2c6789b81ada
Signed-off-by: Lev Stipakov
Acked-by: Heiko Hund
---
v2: added CVE and MSFT case number
src/openvpnserv/interactive.c | 35 +--
1 file changed, 21 insertions(+), 14 deletions(-)
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 32c8996c..24e3f341 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -106,6 +106,18 @@ typedef struct {
struct tun_ring *receive_ring;
} ring_buffer_maps_t;
+typedef union {
+message_header_t header;
+address_message_t address;
+route_message_t route;
+flush_neighbors_message_t flush_neighbors;
+block_dns_message_t block_dns;
+dns_cfg_message_t dns;
+enable_dhcp_message_t dhcp;
+register_ring_buffers_message_t rrb;
+set_mtu_message_t mtu;
+wins_cfg_message_t wins;
+} pipe_message_t;
static DWORD
AddListItem(list_item_t **pfirst, LPVOID data)
@@ -1610,19 +1622,7 @@ static VOID
HandleMessage(HANDLE pipe, HANDLE ovpn_proc,
DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists)
{
-DWORD read;
-union {
-message_header_t header;
-address_message_t address;
-route_message_t route;
-flush_neighbors_message_t flush_neighbors;
-block_dns_message_t block_dns;
-dns_cfg_message_t dns;
-enable_dhcp_message_t dhcp;
-register_ring_buffers_message_t rrb;
-set_mtu_message_t mtu;
-wins_cfg_message_t wins;
-} msg;
+pipe_message_t msg;
ack_message_t ack = {
.header = {
.type = msg_acknowledgement,
@@ -1632,7 +1632,7 @@ HandleMessage(HANDLE pipe, HANDLE ovpn_proc,
.error_number = ERROR_MESSAGE_DATA
};
-read = ReadPipeAsync(pipe, &msg, bytes, count, events);
+DWORD read = ReadPipeAsync(pipe, &msg, bytes, count, events);
if (read != bytes || read < sizeof(msg.header) || read != msg.header.size)
{
goto out;
@@ -2059,6 +2059,13 @@ RunOpenvpn(LPVOID p)
break;
}
+if (bytes > sizeof(pipe_message_t))
+{
+/* process at the other side of the pipe is misbehaving, shut it
down */
+MsgToEventLog(MSG_FLAGS_ERROR, TEXT("OpenVPN process sent too
large payload length to the pipe (%lu bytes), it will be terminated"), bytes);
+break;
+}
+
HandleMessage(ovpn_pipe, proc_info.hProcess, bytes, 1, &exit_event,
&undo_lists);
}
--
2.42.0.windows.2
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] interactive.c: disable remote access to the service pipe
Remote access to the service pipe is not needed and might
be a potential attack vector.
For example, if an attacker manages to get credentials for
a user which is the member of "OpenVPN Administrators" group
on a victim machine, an attacker might be able to communicate
with the privileged interactive service on a victim machine
and start openvpn processes remotely.
CVE: 2024-24974
Microsoft case number: 85925
Reported-by: Vladimir Tokarev
Change-Id: I8739c5f127e9ca0683fcdbd099dba9896ae46277
Signed-off-by: Lev Stipakov
Acked-by: Heiko Hund
---
v2: add CVE and MSFT case number to the commit message
src/openvpnserv/interactive.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 24e3f341..6a977b68 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -2175,7 +2175,7 @@ CreateClientPipeInstance(VOID)
openvpn_swprintf(pipe_name, _countof(pipe_name), TEXT(".\\pipe\\"
PACKAGE "%ls\\service"), service_instance);
pipe = CreateNamedPipe(pipe_name, flags,
- PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE,
+ PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE |
PIPE_REJECT_REMOTE_CLIENTS,
PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL);
if (pipe == INVALID_HANDLE_VALUE)
{
--
2.42.0.windows.2
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] interactive.c: Fix potential stack overflow issue
When reading message from the pipe, we first peek the pipe to get the size
of the message waiting to be read and then read the message. A compromised
OpenVPN process could send an excessively large message, which would result
in a stack-allocated message buffer overflow.
To address this, we terminate the misbehaving process if the peeked message
size exceeds the maximum allowable size.
Reported-by: Vladimir Tokarev
Change-Id: Ib5743cba0741ea11f9ee62c4978b2c6789b81ada
Signed-off-by: Lev Stipakov
Acked-by: Heiko Hund
---
src/openvpnserv/interactive.c | 35 +--
1 file changed, 21 insertions(+), 14 deletions(-)
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 32c8996c..24e3f341 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -106,6 +106,18 @@ typedef struct {
struct tun_ring *receive_ring;
} ring_buffer_maps_t;
+typedef union {
+message_header_t header;
+address_message_t address;
+route_message_t route;
+flush_neighbors_message_t flush_neighbors;
+block_dns_message_t block_dns;
+dns_cfg_message_t dns;
+enable_dhcp_message_t dhcp;
+register_ring_buffers_message_t rrb;
+set_mtu_message_t mtu;
+wins_cfg_message_t wins;
+} pipe_message_t;
static DWORD
AddListItem(list_item_t **pfirst, LPVOID data)
@@ -1610,19 +1622,7 @@ static VOID
HandleMessage(HANDLE pipe, HANDLE ovpn_proc,
DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists)
{
-DWORD read;
-union {
-message_header_t header;
-address_message_t address;
-route_message_t route;
-flush_neighbors_message_t flush_neighbors;
-block_dns_message_t block_dns;
-dns_cfg_message_t dns;
-enable_dhcp_message_t dhcp;
-register_ring_buffers_message_t rrb;
-set_mtu_message_t mtu;
-wins_cfg_message_t wins;
-} msg;
+pipe_message_t msg;
ack_message_t ack = {
.header = {
.type = msg_acknowledgement,
@@ -1632,7 +1632,7 @@ HandleMessage(HANDLE pipe, HANDLE ovpn_proc,
.error_number = ERROR_MESSAGE_DATA
};
-read = ReadPipeAsync(pipe, &msg, bytes, count, events);
+DWORD read = ReadPipeAsync(pipe, &msg, bytes, count, events);
if (read != bytes || read < sizeof(msg.header) || read != msg.header.size)
{
goto out;
@@ -2059,6 +2059,13 @@ RunOpenvpn(LPVOID p)
break;
}
+if (bytes > sizeof(pipe_message_t))
+{
+/* process at the other side of the pipe is misbehaving, shut it
down */
+MsgToEventLog(MSG_FLAGS_ERROR, TEXT("OpenVPN process sent too
large payload length to the pipe (%lu bytes), it will be terminated"), bytes);
+break;
+}
+
HandleMessage(ovpn_pipe, proc_info.hProcess, bytes, 1, &exit_event,
&undo_lists);
}
--
2.42.0.windows.2
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] interactive.c: disable remote access to the service pipe
Remote access to the service pipe is not needed and might
be a potential attack vector.
For example, if an attacker manages to get credentials for
a user which is the member of "OpenVPN Administrators" group
on a victim machine, an attacker might be able to communicate
with the privileged interactive service on a victim machine
and start openvpn processes remotely.
Reported-by: Vladimir Tokarev
Change-Id: I8739c5f127e9ca0683fcdbd099dba9896ae46277
Signed-off-by: Lev Stipakov
Acked-by: Heiko Hund
---
src/openvpnserv/interactive.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 24e3f341..6a977b68 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -2175,7 +2175,7 @@ CreateClientPipeInstance(VOID)
openvpn_swprintf(pipe_name, _countof(pipe_name), TEXT(".\\pipe\\"
PACKAGE "%ls\\service"), service_instance);
pipe = CreateNamedPipe(pipe_name, flags,
- PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE,
+ PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE |
PIPE_REJECT_REMOTE_CLIENTS,
PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL);
if (pipe == INVALID_HANDLE_VALUE)
{
--
2.42.0.windows.2
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] win32: Enforce loading of plugins from a trusted directory
Currently, there's a risk associated with allowing plugins to be loaded
from any location. This update ensures plugins are only loaded from a
trusted directory, which is either:
- HKLM\SOFTWARE\OpenVPN\plugin_dir (or if the key is missing,
then HKLM\SOFTWARE\OpenVPN, which is installation directory)
- System directory
Loading from UNC paths is disallowed.
Note: This change affects only Windows environments.
CVE: 2024-27903
Change-Id: I154a4aaad9242c9253a64312a14c5fd2ea95f40d
Reported-by: Vladimir Tokarev
Signed-off-by: Lev Stipakov
Acked-by: Selva Nair
---
src/openvpn/plugin.c | 18 +--
src/openvpn/win32.c | 77 +---
src/openvpn/win32.h | 27
3 files changed, 107 insertions(+), 15 deletions(-)
diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index b4d4a986..3d62eced 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
@@ -277,11 +277,23 @@ plugin_init_item(struct plugin *p, const struct
plugin_option *o)
#else /* ifndef _WIN32 */
-rel = !platform_absolute_pathname(p->so_pathname);
-p->module = LoadLibraryW(wide_string(p->so_pathname, &gc));
+WCHAR *wpath = wide_string(p->so_pathname, &gc);
+WCHAR normalized_plugin_path[MAX_PATH] = {0};
+/* Normalize the plugin path, converting any relative paths to absolute
paths. */
+if (!GetFullPathNameW(wpath, MAX_PATH, normalized_plugin_path, NULL))
+{
+msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls. Failed to
normalize plugin path.", wpath);
+}
+
+if (!plugin_in_trusted_dir(normalized_plugin_path))
+{
+msg(M_FATAL, "PLUGIN_INIT: could not load plugin DLL: %ls. The DLL is
not in a trusted directory.", normalized_plugin_path);
+}
+
+p->module = LoadLibraryW(normalized_plugin_path);
if (!p->module)
{
-msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %s",
p->so_pathname);
+msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls",
normalized_plugin_path);
}
#define PLUGIN_SYM(var, name, flags) dll_resolve_symbol(p->module, (void
*)&p->var, name, p->so_pathname, flags)
diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
index 6b7ba5e4..7ed32811 100644
--- a/src/openvpn/win32.c
+++ b/src/openvpn/win32.c
@@ -1497,27 +1497,24 @@ openvpn_swprintf(wchar_t *const str, const size_t size,
const wchar_t *const for
return (len >= 0 && len < size);
}
-static BOOL
-get_install_path(WCHAR *path, DWORD size)
+bool
+get_openvpn_reg_value(const WCHAR *key, WCHAR *value, DWORD size)
{
WCHAR reg_path[256];
-HKEY key;
-BOOL res = FALSE;
+HKEY hkey;
openvpn_swprintf(reg_path, _countof(reg_path), L"SOFTWARE\\" PACKAGE_NAME);
-LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ,
&key);
+LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ,
&hkey);
if (status != ERROR_SUCCESS)
{
-return res;
+return false;
}
-/* The default value of REG_KEY is the install path */
-status = RegGetValueW(key, NULL, NULL, RRF_RT_REG_SZ, NULL, (LPBYTE)path,
&size);
-res = status == ERROR_SUCCESS;
+status = RegGetValueW(hkey, NULL, key, RRF_RT_REG_SZ, NULL, (LPBYTE)value,
&size);
-RegCloseKey(key);
+RegCloseKey(hkey);
-return res;
+return status == ERROR_SUCCESS;
}
static void
@@ -1526,7 +1523,7 @@ set_openssl_env_vars()
const WCHAR *ssl_fallback_dir = L"C:\\Windows\\System32";
WCHAR install_path[MAX_PATH] = { 0 };
-if (!get_install_path(install_path, _countof(install_path)))
+if (!get_openvpn_reg_value(NULL, install_path, _countof(install_path)))
{
/* if we cannot find installation path from the registry,
* use Windows directory as a fallback
@@ -1605,4 +1602,60 @@ win32_sleep(const int n)
}
}
}
+
+bool
+plugin_in_trusted_dir(const WCHAR *plugin_path)
+{
+/* UNC paths are not allowed */
+if (wcsncmp(plugin_path, L"", 2) == 0)
+{
+msg(M_WARN, "UNC paths for plugins are not allowed.");
+return false;
+}
+
+WCHAR plugin_dir[MAX_PATH] = { 0 };
+
+/* Attempt to retrieve the trusted plugin directory path from the registry,
+ * using installation path as a fallback */
+if (!get_openvpn_reg_value(L"plugin_dir", plugin_dir, _countof(plugin_dir))
+&& !get_openvpn_reg_value(NULL, plugin_dir, _countof(plugin_dir)))
+{
+msg(M_WARN, "Installation path could not be determined.");
+}
+
+/* Get the system directory */
+WCHAR system_dir[MAX_PATH] = { 0 };
+if (GetSystemDirectoryW(system_dir, _countof(system_dir)) == 0)
+{
+msg(M_NONFATAL | M_ERRNO, "Failed to get system directory.");
+}
+
+if ((wcslen(plugin_dir) == 0) && (wcslen(system_dir) == 0))
+{
+return false;
+}
+
+WCHAR normalized_plugin_dir[MAX_PATH] = { 0 };
+
+/* Normalize the plugin dir */
+if (wcslen(p
