mirror of
https://github.com/OpenVPN/openvpn.git
synced 2026-05-28 04:03:29 -04:00
Harden interactive service pipe
Some checks are pending
Build / Check code style with Uncrustify (push) Waiting to run
Build / gcc-mingw - x64 - OSSL (push) Waiting to run
Build / gcc-mingw - x86 - OSSL (push) Waiting to run
Build / mingw unittest argv - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest auth_token - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest buffer - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest crypto - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest cryptoapi - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest misc - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest ncp - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest packet_id - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest pkt - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest provider - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest tls_crypt - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest argv - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest auth_token - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest buffer - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest crypto - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest cryptoapi - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest misc - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest ncp - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest packet_id - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest pkt - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest provider - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest tls_crypt - x86 - OSSL (push) Blocked by required conditions
Build / gcc - ubuntu-24.04 - OpenSSL 3.0.13 --enable-pkcs11 (push) Waiting to run
Build / gcc - ubuntu-22.04 - OpenSSL 3.0.2 --enable-pkcs11 (push) Waiting to run
Build / gcc - ubuntu-22.04 - mbed TLS 2.28.0 (push) Waiting to run
Build / clang-asan - ubuntu-22.04 - mbedtls (push) Waiting to run
Build / clang-asan - ubuntu-22.04 - openssl (push) Waiting to run
Build / clang-asan - ubuntu-24.04 - mbedtls (push) Waiting to run
Build / clang-asan - ubuntu-24.04 - openssl (push) Waiting to run
Build / macos-13 - libressl - asan (push) Waiting to run
Build / macos-13 - openssl@1.1 - asan (push) Waiting to run
Build / macos-13 - openssl@3 - asan (push) Waiting to run
Build / macos-14 - libressl - asan (push) Waiting to run
Build / macos-14 - openssl@1.1 - asan (push) Waiting to run
Build / macos-14 - openssl@3 - asan (push) Waiting to run
Build / macos-15 - libressl - asan (push) Waiting to run
Build / macos-15 - openssl@1.1 - asan (push) Waiting to run
Build / macos-15 - openssl@3 - asan (push) Waiting to run
Build / macos-13 - libressl - normal (push) Waiting to run
Build / macos-13 - openssl@1.1 - normal (push) Waiting to run
Build / macos-13 - openssl@3 - normal (push) Waiting to run
Build / macos-14 - libressl - normal (push) Waiting to run
Build / macos-14 - openssl@1.1 - normal (push) Waiting to run
Build / macos-14 - openssl@3 - normal (push) Waiting to run
Build / macos-15 - libressl - normal (push) Waiting to run
Build / macos-15 - openssl@1.1 - normal (push) Waiting to run
Build / macos-15 - openssl@3 - normal (push) Waiting to run
Build / msbuild - amd64 - openssl (push) Waiting to run
Build / msbuild - arm64 - openssl (push) Waiting to run
Build / msbuild - x86 - openssl (push) Waiting to run
Build / clang asan - ubuntu-22.04 - libressl (push) Waiting to run
Build / gcc normal - ubuntu-22.04 - libressl (push) Waiting to run
Some checks are pending
Build / Check code style with Uncrustify (push) Waiting to run
Build / gcc-mingw - x64 - OSSL (push) Waiting to run
Build / gcc-mingw - x86 - OSSL (push) Waiting to run
Build / mingw unittest argv - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest auth_token - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest buffer - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest crypto - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest cryptoapi - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest misc - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest ncp - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest packet_id - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest pkt - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest provider - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest tls_crypt - x64 - OSSL (push) Blocked by required conditions
Build / mingw unittest argv - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest auth_token - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest buffer - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest crypto - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest cryptoapi - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest misc - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest ncp - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest packet_id - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest pkt - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest provider - x86 - OSSL (push) Blocked by required conditions
Build / mingw unittest tls_crypt - x86 - OSSL (push) Blocked by required conditions
Build / gcc - ubuntu-24.04 - OpenSSL 3.0.13 --enable-pkcs11 (push) Waiting to run
Build / gcc - ubuntu-22.04 - OpenSSL 3.0.2 --enable-pkcs11 (push) Waiting to run
Build / gcc - ubuntu-22.04 - mbed TLS 2.28.0 (push) Waiting to run
Build / clang-asan - ubuntu-22.04 - mbedtls (push) Waiting to run
Build / clang-asan - ubuntu-22.04 - openssl (push) Waiting to run
Build / clang-asan - ubuntu-24.04 - mbedtls (push) Waiting to run
Build / clang-asan - ubuntu-24.04 - openssl (push) Waiting to run
Build / macos-13 - libressl - asan (push) Waiting to run
Build / macos-13 - openssl@1.1 - asan (push) Waiting to run
Build / macos-13 - openssl@3 - asan (push) Waiting to run
Build / macos-14 - libressl - asan (push) Waiting to run
Build / macos-14 - openssl@1.1 - asan (push) Waiting to run
Build / macos-14 - openssl@3 - asan (push) Waiting to run
Build / macos-15 - libressl - asan (push) Waiting to run
Build / macos-15 - openssl@1.1 - asan (push) Waiting to run
Build / macos-15 - openssl@3 - asan (push) Waiting to run
Build / macos-13 - libressl - normal (push) Waiting to run
Build / macos-13 - openssl@1.1 - normal (push) Waiting to run
Build / macos-13 - openssl@3 - normal (push) Waiting to run
Build / macos-14 - libressl - normal (push) Waiting to run
Build / macos-14 - openssl@1.1 - normal (push) Waiting to run
Build / macos-14 - openssl@3 - normal (push) Waiting to run
Build / macos-15 - libressl - normal (push) Waiting to run
Build / macos-15 - openssl@1.1 - normal (push) Waiting to run
Build / macos-15 - openssl@3 - normal (push) Waiting to run
Build / msbuild - amd64 - openssl (push) Waiting to run
Build / msbuild - arm64 - openssl (push) Waiting to run
Build / msbuild - x86 - openssl (push) Waiting to run
Build / clang asan - ubuntu-22.04 - libressl (push) Waiting to run
Build / gcc normal - ubuntu-22.04 - libressl (push) Waiting to run
- Append a version 4 uuid to ovpn_pipe_name to make it less predictable - Do not allow remote access to the pipe This greatly reduces the possibility of a rogue process racing to open the pipe before CreateFile() is called in the worker thread. Reported-by: Marc Heuse <marc@srlabs.de> Change-Id: Ie66a142751354e421d48b273784fc79bcb9f7208 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1401 Message-Id: <20251124183839.24803-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34654.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
Selva Nair
Gert Doering
parent
031fdbc795
commit
a8fb9f6443
1 changed files with 21 additions and 2 deletions
|
|
@ -1955,11 +1955,30 @@ RunOpenvpn(LPVOID p)
|
|||
goto out;
|
||||
}
|
||||
|
||||
UUID pipe_uuid;
|
||||
RPC_STATUS rpc_stat = UuidCreate(&pipe_uuid);
|
||||
if (rpc_stat != RPC_S_OK)
|
||||
{
|
||||
ReturnError(pipe, rpc_stat, L"UuidCreate", 1, &exit_event);
|
||||
goto out;
|
||||
}
|
||||
|
||||
RPC_WSTR pipe_uuid_str = NULL;
|
||||
rpc_stat = UuidToStringW(&pipe_uuid, &pipe_uuid_str);
|
||||
if (rpc_stat != RPC_S_OK)
|
||||
{
|
||||
ReturnError(pipe, rpc_stat, L"UuidToString", 1, &exit_event);
|
||||
goto out;
|
||||
}
|
||||
openvpn_swprintf(ovpn_pipe_name, _countof(ovpn_pipe_name),
|
||||
TEXT("\\\\.\\pipe\\" PACKAGE "%ls\\service_%lu"), service_instance, GetCurrentThreadId());
|
||||
TEXT("\\\\.\\pipe\\" PACKAGE "%ls\\service_%lu_%ls"), service_instance,
|
||||
GetCurrentThreadId(), pipe_uuid_str);
|
||||
RpcStringFree(&pipe_uuid_str);
|
||||
|
||||
ovpn_pipe = CreateNamedPipe(ovpn_pipe_name,
|
||||
PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE | FILE_FLAG_OVERLAPPED,
|
||||
PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT, 1, 128, 128, 0, NULL);
|
||||
PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT | PIPE_REJECT_REMOTE_CLIENTS,
|
||||
1, 128, 128, 0, NULL);
|
||||
if (ovpn_pipe == INVALID_HANDLE_VALUE)
|
||||
{
|
||||
ReturnLastError(pipe, L"CreateNamedPipe");
|
||||
|
|
|
|||
Loading…
Reference in a new issue