buffer size confusion in vastrock-huang/minivpn

Valid

Reported on

Jun 5th 2022


Description

an attempt to write 2000 into a buffer of 10 bytes, while SSL_read does not add a zero at the end.

Proof of Concept

#define BUFF_SIZE 2000 
...
char buf[10];
SSL_read(ssl,buf,BUFF_SIZE);
int virtualIP = atoi(buf);

Impact

by changing the network data, you can access remote code execution. gives out that the application is building vpn, the information is also very sensitive.

We are processing your report and will contact the vastrock-huang/minivpn team within 24 hours. 21 days ago
ihsinme submitted a
21 days ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 20 days ago
We have contacted a member of the vastrock-huang/minivpn team and are waiting to hear back 19 days ago
vastrock-huang gave praise 19 days ago
Great work @ihsinme 👌, I have fixed this according to your patch.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
We have sent a follow up to the vastrock-huang/minivpn team. We will try again in 7 days. 16 days ago
vastrock-huang validated this vulnerability 13 days ago
ihsinme has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
vastrock-huang confirmed that a fix has been merged on 9acc42 13 days ago
ihsinme has been awarded the fix bounty
client.c#L299-L299 has been validated
to join this conversation