[Openvpn-devel] Remote memory corruption

Hello, this concerns key_method 1. I know it's deprecated, but reporting it just in case people still use it.. So key_method_1_read() calls read_key() which doesn't perform adequate bounds checks. cipher_length and hmac_length are specified by the peer: 1643 uint8_t cipher_length; 1644 u

[Openvpn-devel] OpenVPN fuzzers released

Here is the set of fuzzers used to find the recent vulnerabilities in OpenVPN: https://github.com/guidovranken/openvpn/tree/fuzzing Not all code is covered by this set; more fuzzers need to be written in order to verify the overall security of OpenVPN. Hence, it is conceivable that more vulnerabi

[Openvpn-devel] [PATCH] Fix memory leak in add_option() for option 'connection'

This patch ensures that if an error occurs while processing the 'connection' directive of an options specification, the variable 'struct options sub', which is initialized with init_options(), is properly freed with uninit_options(). Signed-off-by: Guido Vranken --- src/o

[Openvpn-devel] [PATCH] Fix a null-pointer dereference in establish_http_proxy_passthru()

Prevents that the client crashes if the peer does not specify the 'realm' and/or 'nonce' values. These pointers are dereferenced in DigestCalcHA1() and DigestCalcResponse(); hence, if not set, a null-pointer dereference would occur. Signed-off-by: Guido Vranken --- src

Re: [Openvpn-devel] [PATCH applied] Re: refactor my_strupr

ll as you put it, I just moved > it into the "not first line" block, and wrapped the lines to ~70 chars) > > commit 69162924de3600bfe8ae9708a1d6e3f4515ef995 (master) > commit 69f00d8ce6862772919e2714adb72f13f3e92ca7 (release/2.4) > commit 8dd598e89f25074f2d4d23f77cb601cf48a

[Openvpn-devel] [PATCH] Fix 2 memory leaks in proxy authentication routine

Signed-off-by: Guido Vranken --- src/openvpn/proxy.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index b0ed327..8ff09ba 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -318,6 +318,7 @@ get_proxy_authenticate(socket_descriptor_t sd

[Openvpn-devel] [PATCH] Add one element (a terminating NULL pointer) to the array into which parse_line() stores the arguments. This prevents that options that traverse this array until a terminator i

Signed-off-by: Guido Vranken --- src/openvpn/options.c | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 452087a..91d8280 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -4531,7 +4531,7

[Openvpn-devel] [PATCH] Refactor my_strupr such that it will not check and possibly alter bytes after the string's null terminator for strings of length 0

Signed-off-by: Guido Vranken --- src/openvpn/ntlm.c | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index 0c43681..9348337 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -130,17 +130,16 @@ gen_nonce(unsigned char

[Openvpn-devel] [PATCH] Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)

Signed-off-by: Guido Vranken --- src/openvpn/ssl_verify_openssl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 8374783..d64f83c 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn