Skip to content

proto: correct 802.1Q length check in is_ipv_X#1044

Closed
rootvector2 wants to merge 1 commit into
OpenVPN:masterfrom
rootvector2:proto-8021q-length-check
Closed

proto: correct 802.1Q length check in is_ipv_X#1044
rootvector2 wants to merge 1 commit into
OpenVPN:masterfrom
rootvector2:proto-8021q-length-check

Conversation

@rootvector2

Copy link
Copy Markdown
Contributor

In TAP mode is_ipv_X() checks an 802.1Q frame against the untagged Ethernet header size but then advances past the larger 18-byte 802.1Q header. A tagged frame of 34 to 37 bytes passes the check yet leaves fewer than sizeof(struct openvpn_iphdr) bytes at the new buffer head, so callers such as client_nat_transform that trust the return value access bytes past the IP header. Use sizeof(struct openvpn_8021qhdr) for the check instead.

@rootvector2

Copy link
Copy Markdown
Contributor Author

any update?

@cron2

cron2 commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Thanks for the finding. As the welcome message tells you, we don't deal with github PRs, but ask for patches to be sent to our gerrit or to the mailing list. I can forward to gerrit, but we had lots of other work to do, so this extra step can lead to patches getting overlooked (which is a shame, but days are short).

Before proceeding, I need a signed-off-by: name <e-mail> address in the git commit message. I can add this for you, @rootvector2, but need to know what to put there.

cron2 pushed a commit to cron2/openvpn that referenced this pull request Jul 16, 2026
Github: OpenVPN/openvpn#1044

This has also been reported twice as a security relevant bug, but
only later than the original finding - and it isn't.

While --client-nat would modify a 32bit integer "after the packet"
(the place where an IPv4 address would be, in a well-formed packet),
the underlying buffer is always max-frame sized, and we never look
at the "modified integer" afterwards, so there are no consequences
warranting allocation of a CVE ID.

Signed-off-by: rootvector2 <dxbnaveed.k@gmail.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1789
Reported-By: 章鱼哥 (www.aipyaipy.com)
Reported-By: Yu Zhang Wong <wongyuzhang45@gmail.com>
Change-Id: I8219c6295acf28ff10ddb2fcc285f813c42fa8fe
Message-Id: <20260715202210.9010-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg37652.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
cron2 pushed a commit to cron2/openvpn that referenced this pull request Jul 16, 2026
Github: OpenVPN/openvpn#1044

This has also been reported twice as a security relevant bug, but
only later than the original finding - and it isn't.

While --client-nat would modify a 32bit integer "after the packet"
(the place where an IPv4 address would be, in a well-formed packet),
the underlying buffer is always max-frame sized, and we never look
at the "modified integer" afterwards, so there are no consequences
warranting allocation of a CVE ID.

Signed-off-by: rootvector2 <dxbnaveed.k@gmail.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1789
Reported-By: 章鱼哥 (www.aipyaipy.com)
Reported-By: Yu Zhang Wong <wongyuzhang45@gmail.com>
Change-Id: I8219c6295acf28ff10ddb2fcc285f813c42fa8fe
Message-Id: <20260715202210.9010-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg37652.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f8b15da)
cron2 pushed a commit to cron2/openvpn that referenced this pull request Jul 16, 2026
Github: OpenVPN/openvpn#1044

This has also been reported twice as a security relevant bug, but
only later than the original finding - and it isn't.

While --client-nat would modify a 32bit integer "after the packet"
(the place where an IPv4 address would be, in a well-formed packet),
the underlying buffer is always max-frame sized, and we never look
at the "modified integer" afterwards, so there are no consequences
warranting allocation of a CVE ID.

Signed-off-by: rootvector2 <dxbnaveed.k@gmail.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1789
Reported-By: 章鱼哥 (www.aipyaipy.com)
Reported-By: Yu Zhang Wong <wongyuzhang45@gmail.com>
Change-Id: I8219c6295acf28ff10ddb2fcc285f813c42fa8fe
Message-Id: <20260715202210.9010-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg37652.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f8b15da)
@cron2

cron2 commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Patch went to gerrit, has been reviewed and approved, and is now undergoing final github actions checks. Expect it to show up in the "real" openvpn repo tomorrow.

@cron2

cron2 commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

commit f8b15da (master)
commit 47c9267 (release/2.7)
commit 66c7d43 (release/2.6)
Author: rootvector2
Date: Wed Jul 15 22:22:02 2026 +0200

 proto: correct 802.1Q length check in is_ipv_X

 Signed-off-by: rootvector2 <dxbnaveed.k@gmail.com>

@cron2 cron2 closed this Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants