)]}'
{"id":"openvpn~1373","triplet_id":"openvpn~master~Ided1ac7c804487055b175d8766535bead257b7d5","project":"openvpn","branch":"master","attention_set":{},"removed_from_attention_set":{"1000003":{"account":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"last_update":"2025-11-12 16:13:37.000000000","reason":"Change was abandoned"}},"hashtags":[],"change_id":"Ided1ac7c804487055b175d8766535bead257b7d5","subject":"Fix construction of invalid pointer in tls_pre_decrypt","status":"ABANDONED","created":"2025-11-12 13:40:07.000000000","updated":"2025-11-12 16:13:37.000000000","total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"meta_rev_id":"ee7f15f62d4cb12acd77fd5c65a9070960ee45ec","_number":1373,"virtual_id_number":1373,"owner":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"actions":{},"labels":{"Code-Review":{"approved":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"all":[{"value":2,"date":"2025-11-12 14:12:52.000000000","permitted_voting_range":{"min":-2,"max":2},"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"}],"values":{"-2":"This shall not be submitted","-1":"I would prefer this is not submitted as is"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me, approved"},"description":"","default_value":0}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"}],"CC":[{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2025-11-12 13:40:08.000000000","updated_by":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"reviewer":{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"},"state":"CC"},{"updated":"2025-11-12 14:12:52.000000000","updated_by":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"reviewer":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"state":"REVIEWER"}],"messages":[{"id":"17dcdd22bc580c8e88aed7689bd427fe882267f7","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"date":"2025-11-12 13:40:07.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"6afd37822229a6784374442659b51c6b83a6f5f6","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-11-12 14:12:52.000000000","message":"Patch Set 1: Code-Review+2","accounts_in_message":[],"_revision_number":1},{"id":"ee7f15f62d4cb12acd77fd5c65a9070960ee45ec","tag":"autogenerated:gerrit:abandon","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2025-11-12 16:13:37.000000000","message":"Abandoned\n\nI ruined the commit by adding a blank line, so Gerrit could not match it anymore.  This has been merged as commit 5cdf3f9724c89b278c88fd408714a8d2c1f4d1a1 (master) + cherrypicked to 2.6 and 2.5","accounts_in_message":[],"_revision_number":1}],"current_revision_number":1,"current_revision":"ad0ae39380b0283f30d276f0dd48274cbcef7d75","revisions":{"ad0ae39380b0283f30d276f0dd48274cbcef7d75":{"kind":"REWORK","_number":1,"created":"2025-11-12 13:40:07.000000000","uploader":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"ref":"refs/changes/73/1373/1","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/73/1373/1","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1373/1 \u0026\u0026 git checkout -b change-1373 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1373/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1373/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1373/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/73/1373/1","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1373/1 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"0da6116c0c8fccfa12369139ebf9357d113debba","subject":"ssl: Change tls_send_payload size argument to size_t"}],"author":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-11-03 13:34:04.000000000","tz":60},"committer":{"name":"Arne Schwabe","email":"arne@rfc2549.org","date":"2025-11-12 13:39:54.000000000","tz":60},"subject":"Fix construction of invalid pointer in tls_pre_decrypt","message":"Fix construction of invalid pointer in tls_pre_decrypt\n\nIn tls_pre_decrypt we construct a pointer ks with an invalid i if i is TM_SIZE\ndoing a out-of-bounds access in multi-\u003esession.\n\nThis is a something that exists at least since 2.3.0 (I didn\u0027t go further\nback but probalby exists in earlier version as well as the commits date\nback to SVN beta21 branch).\n\nSo we construct the pointer but do not do anything with it if it is inval\nid as we check i *after* we construct the pointer `ks`.\n\nI suspect that the compiler optimises the bug away in any higher optimisation\nlevel.\n\nAssuming there is no optimisation, let\u0027s check what is possible.\nSince we never use the value `ks` if it is invalid, we do not have\nworry if it ends up invalid or not. The only thing that we have to\nworry about is whether\n`session + offsetof(struct tls_session, key[KS_PRIMARY])` is pointing\nto memory that is valid to read to construct the `ks` pointer.\nThis is outside the tls_multi struct, so this is not guaranteed to be\nallocated memory but at the same time it is also only few bytes (or few\ntens/houndred) after the struct, so it will with an extremely high\nprobably be in a memory region that will not cause a segfault.\n\nEvery time this condition is hit and we construct the invalid pointer,\nthe log message \"TLS Error: Unroutable control packet received\" is\nprinted at `verb 1` or higher. And this is a quite common log message,\nwhich serves as indication as well that a crash is not something that\ntypically happens but either the optimisation fixes or the memory\nregion of the invalid access is valid to read from.\n\nChange-Id: Ided1ac7c804487055b175d8766535bead257b7d5\nSigned-off-by: Arne Schwabe \u003carne@rfc2549.org\u003e\n"},"branch":"refs/heads/master"}},"requirements":[],"submit_records":[],"submit_requirements":[]}