diff mbox series

[Openvpn-devel,v1] Prevent NULL pointer dereference with --dns-updown

Message ID 20260128110443.24410-1-gert@greenie.muc.de
State New
Headers show
Series [Openvpn-devel,v1] Prevent NULL pointer dereference with --dns-updown | expand

Commit Message

Gert Doering Jan. 28, 2026, 11:04 a.m. UTC 
From: Heiko Hund <heiko@ist.eigentlich.net>

If the dns-updown option appears in the config twice, there is a chance
of a NULL pointer dereference when comparing the script path to the
default script path. This happens when a custom script is set, after the
dns-updown script was disabled first. In that case the script path is
NULL, which leads to the deref during a strcmp(3).

Reported-by: <aarnav@srlabs.de>
Change-Id: Id530d890ba01cffb74d3dc04ad10b153f7bea1d4
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1498
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1498
This mail reflects revision 1 of this Change.

Acked-by according to Gerrit (reflected above):
Arne Schwabe <arne-openvpn@rfc2549.org>

Comments

Gert Doering Jan. 28, 2026, 1:19 p.m. UTC | #1 
Thanks for the quick fix (and compliments to SR Labs for finding all these...).

For the sake of the archives - while this is a NULL-pointer crashbug, it
can not be pushed or triggered "from the outside", so it does not get a CVE,
it's just a bug.

The BBs do "does it compile and does t_client with --dns-updown work?" tests,
and this is all green, so I didn't do more than stare-at-code for a bit.

It's also not in 2.6.x, so no backporting needed.

Your patch has been applied to the master branch.

commit 62a17417de26735e04cb527c5df8137e4d50454a
Author: Heiko Hund
Date:   Wed Jan 28 12:04:37 2026 +0100

     Prevent NULL pointer dereference with --dns-updown

     Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
     Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
     Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1498
     Message-Id: <20260128110443.24410-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35479.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 85669e0..2bca647 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -7890,7 +7890,7 @@ 
         }
         else
         {
-            if (streq(dns->updown, DEFAULT_DNS_UPDOWN))
+            if (dns->updown && streq(dns->updown, DEFAULT_DNS_UPDOWN))
             {
                 /* Unset the default command to prevent warnings */
                 dns->updown = NULL;