[Openvpn-devel] solaris/open_tun: prevent crash when dev is empty string

Message ID 20220917125811.13549-1-a@unstable.cc
State Accepted
Headers show
Series [Openvpn-devel] solaris/open_tun: prevent crash when dev is empty string | expand

Commit Message

Antonio Quartulli Sept. 17, 2022, 12:58 p.m. UTC
This was originally reported on GH, but never dealt with.
Make sure 'ptr' is always initialized to prevent derefence of null
pointer in case of empty dev string.

While at it, change the if condition to use ptr instead of dev, since
dev is not used anymore in the logic.

Signed-off-by: Antonio Quartulli <a@unstable.cc>
---
 src/openvpn/tun.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Gert Doering Sept. 23, 2022, 4:32 p.m. UTC | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

I'm not sure how "dev" can ever be an empty string here, but if it
can be one, we shouldn't crash :-) - subjected to t_client tests on
OpenIndiana 2019 that excercise --dev tun/tap and --dev tun3/tap3

Trying around a bit, I came up with "openvpn --dev '' --dev-type tun"
which would indeed end up there with an empty *dev, leading to *ptr
pointing to random garbage (no crash here, but that's more luck in
stack layout I'd say).  With the bugfix, I get

2022-09-23 18:31:28 dev=8043451, ptr=8043451, *dev='00', *dev='', *ptr=''

.. better.

Your patch has been applied to the master branch.

commit cec4353b60bc74a2d8d78ca6b8b6f9fae02e92eb
Author: Antonio Quartulli
Date:   Sat Sep 17 14:58:11 2022 +0200

     solaris/open_tun: prevent crash when dev is empty string

     Signed-off-by: Antonio Quartulli <a@unstable.cc>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20220917125811.13549-1-a@unstable.cc>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25235.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index a17ff50f..44fad06d 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -2379,10 +2379,11 @@  open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun
         msg(M_ERR, "Can't open %s", dev_node);
     }
 
+    ptr = dev;
+
     /* get unit number */
-    if (*dev)
+    if (*ptr)
     {
-        ptr = dev;
         while (*ptr && !isdigit((int) *ptr))
         {
             ptr++;