From 940e5206c4c1dfa44da5585f0d99e9b34338d234 Mon Sep 17 00:00:00 2001
From: Graham Northup <graham@whereto.com>
Date: Mon, 17 Jun 2024 11:54:17 -0400
Subject: [PATCH] Fix CVE-2024-28820

An attacker who can control the challenge/response password field could, with a
valid LDAP username, pass a string with more than 14 colons into this field,
causing a buffer overflow. This happens before the number of tokens is checked
for validity below.

This commit ensures that the loop bails before attempting to write past the end
of tokenIndexes; as of the currently-published protocol, any response with more
than 15 fields is certainly invalid (and will be rejected below).
---
 src/openvpn-cr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn-cr.c b/src/openvpn-cr.c
index 7151e79..6ab75b9 100644
--- a/src/openvpn-cr.c
+++ b/src/openvpn-cr.c
@@ -29,7 +29,7 @@ int extract_openvpn_cr(const char *response, openvpn_response *result, char **er
 	tokenIndexes[0] = response;
 	int tokenCnt = 1;
 	const char *p;
-	for (p = response; *p; ++p) {
+	for (p = response; *p && tokenCnt < 15; ++p) {
 		if (*p == ':')
 			tokenIndexes[tokenCnt++] = p + 1;
 	}