GitList

Browse code

Fix SIGSEGV (NULL deref) receiving push "echo"

A server pushing "echo" without arguments can crash the client.
In such a situation, the code in question receives p[1] == NULL
(which was CLEAR(p)'ed above), hands it strncmp, which then
dereferences the null pointer.

Original report and analysis here:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256331

Fixes: Trac #1409
Reported-by: peo@nethead.se (to FreeBSD)
Signed-off-by: Matthias Andree <matthias.andree@gmx.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210603123019.422644-1-matthias.andree@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22486.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Matthias Andree authored on 2021/06/03 21:30:19
Showing 1 changed files

src/openvpn/options.c index 8d41720..a54bc56 100644

src/openvpn/options.c

History View file @ 0033811

@@ -5365,7 +5365,7 @@ add_option(struct options *options,
         {
             /* only message-related ECHO are logged, since other ECHOs
              * can potentially include security-sensitive strings */
-            if (strncmp(p[1], "msg", 3) == 0)
+            if (p[1] && strncmp(p[1], "msg", 3) == 0)
             {
                 msg(M_INFO, "%s:%s",
                     pull_mode ? "ECHO-PULL" : "ECHO",

...	...	@@ -5365,7 +5365,7 @@ add_option(struct options *options,
5365	5365	{
5366	5366	/* only message-related ECHO are logged, since other ECHOs
5367	5367	* can potentially include security-sensitive strings */
5368		- if (strncmp(p[1], "msg", 3) == 0)
	5368	+ if (p[1] && strncmp(p[1], "msg", 3) == 0)
5369	5369	{
5370	5370	msg(M_INFO, "%s:%s",
5371	5371	pull_mode ? "ECHO-PULL" : "ECHO",