sitnl: set FD_CLOEXEC on socket to prevent abuse

ordex · cron2 · commit 12a2e88b9e9f · 2025-10-28T17:34:22.000+01:00
Since OpenVPN spawns various child processes, it is important that sockets are closed after calling exec. The sitnl socket didn't have the right flag set, resulting in it surviving in, for example, connect/disconnect scripts and giving the latter a chance to abuse the socket. Ensure this doesn't happen by setting FD_CLOEXEC on this socket right after creation. Reported-by: Joshua Rogers <contact@joshua.hu> Found-by: ZeroPath (https://zeropath.com/) Change-Id: I54845bf4dd17d06cfc3b402f188795f74f4b1d3e Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1314 Message-Id: <20251028162843.18189-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33952.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit b9b5470)
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -711,6 +711,7 @@ if (BUILD_TESTING)
             src/openvpn/crypto_mbedtls.c
             src/openvpn/crypto_openssl.c
             src/openvpn/crypto.c
+            src/openvpn/fdmisc.c
             src/openvpn/otime.c
             src/openvpn/packet_id.c
             )
diff --git a/src/openvpn/networking_sitnl.c b/src/openvpn/networking_sitnl.c
@@ -28,6 +28,7 @@
 
 #include "dco.h"
 #include "errlevel.h"
+#include "fdmisc.h"
 #include "buffer.h"
 #include "misc.h"
 #include "networking.h"
@@ -166,6 +167,9 @@ sitnl_socket(void)
         return fd;
     }
 
+    /* set close on exec to avoid child processes access the socket */
+    set_cloexec(fd);
+
     if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, sizeof(sndbuf)) < 0)
     {
         msg(M_WARN | M_ERRNO, "%s: SO_SNDBUF", __func__);
diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am
@@ -130,6 +130,7 @@ networking_testdriver_SOURCES = test_networking.c mock_msg.c \
 	$(top_srcdir)/src/openvpn/crypto.c \
 	$(top_srcdir)/src/openvpn/crypto_mbedtls.c \
 	$(top_srcdir)/src/openvpn/crypto_openssl.c \
+	$(top_srcdir)/src/openvpn/fdmisc.c \
 	$(top_srcdir)/src/openvpn/otime.c \
 	$(top_srcdir)/src/openvpn/packet_id.c \
 	$(top_srcdir)/src/openvpn/platform.c

Original file line number	Diff line number	Diff line change
`@@ -711,6 +711,7 @@ if (BUILD_TESTING)`
`711`	`711`	`src/openvpn/crypto_mbedtls.c`
`712`	`712`	`src/openvpn/crypto_openssl.c`
`713`	`713`	`src/openvpn/crypto.c`
	`714`	`+ src/openvpn/fdmisc.c`
`714`	`715`	`src/openvpn/otime.c`
`715`	`716`	`src/openvpn/packet_id.c`
`716`	`717`	`)`