Skip to content

Commit

Permalink
Do not check key_state buffers that are in S_UNDEF state
Browse files Browse the repository at this point in the history
When a key_state is in S_UNDEF the send_reliable is not initialised. So
checking it might access invalid memory or null pointers.

Github: fixes #449

Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac
[[email protected]: add check for !send_reliable and message]
Signed-off-by: Arne Schwabe <[email protected]>
Acked-by: Gert Doering <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg27401.html
Signed-off-by: Gert Doering <[email protected]>
(cherry picked from commit a903ebe)
  • Loading branch information
schwabe authored and cron2 committed Nov 15, 2023
1 parent 0c174e4 commit b90ec6d
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions src/openvpn/ssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -3192,6 +3192,22 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
for (int i = 0; i < KS_SIZE; i++)
{
struct key_state *ks = &session->key[i];
if (ks->state == S_UNDEF)
{
continue;
}

/* we don't expect send_reliable to be NULL when state is
* not S_UNDEF, but people have reported crashes nonetheless,
* therefore we better catch this event, report and exit.
*/
if (!ks->send_reliable)
{
msg(M_FATAL, "ERROR: session->key[%d]->send_reliable is NULL "
"while key state is %s. Exiting.",
i, state_name(ks->state));
}

for (int j = 0; j < ks->send_reliable->size; j++)
{
if (ks->send_reliable->array[i].buf.data == dataptr)
Expand Down

0 comments on commit b90ec6d

Please sign in to comment.