buffer size confusion in vastrock-huang/minivpn

Valid

Reported on

Jun 5th 2022

Description

an attempt to write 2000 into a buffer of 10 bytes, while SSL_read does not add a zero at the end.

Proof of Concept

#define BUFF_SIZE 2000 
...
char buf[10];
SSL_read(ssl,buf,BUFF_SIZE);
int virtualIP = atoi(buf);

Impact

by changing the network data, you can access remote code execution. gives out that the application is building vpn, the information is also very sensitive.

Occurrences

client.c L299-L299

We are processing your report and will contact the vastrock-huang/minivpn team within 24 hours. a year ago

ihsinme submitted a

patch

a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the vastrock-huang/minivpn team and are waiting to hear back a year ago

vastrock-huang gave praise a year ago

Great work @ihsinme 👌, I have fixed this according to your patch.

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

We have sent a follow up to the vastrock-huang/minivpn team. We will try again in 7 days. a year ago

vastrock-huang validated this vulnerability a year ago

ihsinme has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

vastrock-huang marked this as fixed in 0 with commit 9acc42 a year ago

ihsinme has been awarded the fix bounty

This vulnerability will not receive a CVE

client.c#L299-L299 has been validated

to join this conversation