1. 13 Feb, 2013 3 commits
    • David Woodhouse's avatar
      Impose minimum MTU of 1280 bytes. · cae51780
      David Woodhouse authored
      Some people have seen extremely low pMTU values from the kernel. Not sure
      why, but let's impose a lower limit for now.
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      (cherry picked from commit b37161f6)
      cae51780
    • David Woodhouse's avatar
      Canonicalise hostname during authentication if necessary · 173c3143
      David Woodhouse authored
      Some people have round-robin servers, all addressed by the same hostname
      but with different SSL certificates. Where we do the authentication (and
      user-interactive approval of certificates) from a GUI via libopenconnect,
      or with 'openconnect --authenticate', we end up being given the SHA1 on
      the server's certificate and the non-interactive connection is going to
      expect to see exactly that certificate. So if there is more than one
      result in the original DNS lookup, *change* vpninfo->hostname to hold
      the IP address that we actually connected to.
      
      This means that the Host: header in what we send will be the numeric IP
      address instead of the hostname, but that doesn't seem to hurt. It could
      potentially, theoretically, break virtual hosts but I don't think that
      kind of setup could ever existing in practice.
      
      This also works only in the case where we're *not* connecting via a proxy.
      We currently let the proxy do the DNS lookups *for* us, and we'd have to
      do them locally and then ask the proxy for a connection by IP address
      even for the *first* connection.
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      (cherry picked from commit b0b4b34f
       and subsequent fix commit 3e6ecfa5)
      173c3143
    • Kevin Cernekee's avatar
      http: Fix overflow on HTTP request buffers (CVE-2012-6128) · bcc2f7f2
      Kevin Cernekee authored
      A malicious VPN gateway can send a very long hostname/path (for redirects)
      or cookie list (in general), which OpenConnect will attempt to sprintf()
      into a fixed length buffer.  Each HTTP server response line can add
      roughly MAX_BUF_LEN (131072) bytes to the next OpenConnect HTTP request,
      but the request buffer (buf) is capped at MAX_BUF_LEN bytes and is
      allocated on the stack.
      
      The result of passing a long "Location:" header looks like:
      
          Attempting to connect to server 127.0.0.1:443
          SSL negotiation with localhost
          Server certificate verify failed: self signed certificate in certificate chain
          Connected to HTTPS on localhost
          GET https://localhost/
          Got HTTP response: HTTP/1.0 301 Moved
          Ignoring unknown HTTP response line 'aaaaaaaaaaaaaaaaaa'
          SSL negotiation with localhost
          Server certificate verify failed: self signed certificate in certificate chain
          Connected to HTTPS on localhost
          *** buffer overflow detected ***: /scr/openconnect2/.libs/lt-openconnect terminated
          ======= Backtrace: =========
          /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fd62729b82c]
          /lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7fd62729a700]
          /lib/x86_64-linux-gnu/libc.so.6(+0x108b69)[0x7fd627299b69]
          /lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xdd)[0x7fd62720d13d]
          /lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ae7)[0x7fd6271db4a7]
          /lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7fd627299c04]
          /lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7fd627299b4d]
          /scr/openconnect2/.libs/libopenconnect.so.2(openconnect_obtain_cookie+0xc0)[0x7fd62832d210]
          /scr/openconnect2/.libs/lt-openconnect[0x40413f]
          /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fd6271b276d]
          /scr/openconnect2/.libs/lt-openconnect[0x404579]
      
      The proposed fix is to use dynamically allocated buffers with overflow
      checking.
      Signed-off-by: default avatarKevin Cernekee <cernekee@gmail.com>
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      (cherry picked from commit 26f752c3)
      bcc2f7f2
  2. 13 Oct, 2012 1 commit
  3. 11 Oct, 2012 3 commits
  4. 30 Sep, 2012 1 commit
  5. 26 Sep, 2012 13 commits
  6. 24 Sep, 2012 1 commit
  7. 23 Sep, 2012 1 commit
  8. 22 Sep, 2012 1 commit
  9. 23 Sep, 2012 2 commits
  10. 10 Sep, 2012 1 commit
  11. 03 Sep, 2012 1 commit
  12. 31 Aug, 2012 3 commits
  13. 20 Aug, 2012 2 commits
  14. 03 Aug, 2012 2 commits
  15. 02 Aug, 2012 1 commit
  16. 23 Jul, 2012 1 commit
  17. 20 Jul, 2012 1 commit
  18. 16 Jul, 2012 2 commits