A server pushing "echo" without arguments can crash the client.
In such a situation, the code in question receives p[1] == NULL
(which was CLEAR(p)'ed above), hands it strncmp, which then
dereferences the null pointer.
Original report and analysis here:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256331
Fixes: Trac #1409
Reported-by: peo@nethead.se (to FreeBSD)
Signed-off-by: Matthias Andree <matthias.andree@gmx.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210603123019.422644-1-matthias.andree@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22486.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -5365,7 +5365,7 @@ add_option(struct options *options, |
5365 | 5365 |
{ |
5366 | 5366 |
/* only message-related ECHO are logged, since other ECHOs |
5367 | 5367 |
* can potentially include security-sensitive strings */ |
5368 |
- if (strncmp(p[1], "msg", 3) == 0) |
|
5368 |
+ if (p[1] && strncmp(p[1], "msg", 3) == 0) |
|
5369 | 5369 |
{ |
5370 | 5370 |
msg(M_INFO, "%s:%s", |
5371 | 5371 |
pull_mode ? "ECHO-PULL" : "ECHO", |