diff options
| author | Arne Schwabe | 2023-11-15 11:33:31 +0100 |
|---|---|---|
| committer | Gert Doering | 2023-11-15 13:10:46 +0100 |
| commit | b90ec6dabfb151dd93ef00081bbc3f55e7d3450f (patch) | |
| tree | 8a66d78e4aec6e274dd549896df13a6d73a374fc | |
| parent | 0c174e4e7b6caa1111fbf4773acdfbbcf122489d (diff) | |
| download | openvpn-b90ec6dabfb151dd93ef00081bbc3f55e7d3450f.zip openvpn-b90ec6dabfb151dd93ef00081bbc3f55e7d3450f.tar.gz | |
Do not check key_state buffers that are in S_UNDEF state
When a key_state is in S_UNDEF the send_reliable is not initialised. So
checking it might access invalid memory or null pointers.
Github: fixes OpenVPN/openvpn#449
Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac
[a@unstable.cc: add check for !send_reliable and message]
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231115103331.18050-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27401.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a903ebe9361d451daee71c225e141f4e1b67107d)
| -rw-r--r-- | src/openvpn/ssl.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 9e0ad02..12bc85f 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3192,6 +3192,22 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session) for (int i = 0; i < KS_SIZE; i++) { struct key_state *ks = &session->key[i]; + if (ks->state == S_UNDEF) + { + continue; + } + + /* we don't expect send_reliable to be NULL when state is + * not S_UNDEF, but people have reported crashes nonetheless, + * therefore we better catch this event, report and exit. + */ + if (!ks->send_reliable) + { + msg(M_FATAL, "ERROR: session->key[%d]->send_reliable is NULL " + "while key state is %s. Exiting.", + i, state_name(ks->state)); + } + for (int j = 0; j < ks->send_reliable->size; j++) { if (ks->send_reliable->array[i].buf.data == dataptr) |