| Message ID | 20260622120856.21586-1-gert@greenie.muc.de |
|---|---|
| State | New |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a17:907:1047:b0:bfe:f811:79e7 with SMTP id oy7csp5834764ejb;
Mon, 22 Jun 2026 05:09:22 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
AFNElJ/4zk/Dp2lbrIbBWSCk4iTi9A4U8sU5IJZv0g0U5vQPaXvR9S9QYaOZceHbJz6T97j7zEvbmxtPwvo=@openvpn.net
X-Received: by 2002:a05:687c:23c1:10b0:447:53a4:76f1 with SMTP id
586e51a60fabf-44753a4a601mr3391708fac.18.1782130162302;
Mon, 22 Jun 2026 05:09:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1782130162; cv=none;
d=google.com; s=arc-20260327;
b=ORSozbQ8frli5yx7lxGheEpiBPt2HfE/VkV7dnyIgR50dcudvWrlttQE9qcrhSQoZG
ihCwSVDFTJrzbk8tOFcXmDkzeiJXpBkL/07yxvoE1xCMnbz/7+bw+oVdYP20LX6mT3bF
rzqCM/fF07Ia//x0al9GdNfXYHZ24OiqyoUaxVTmSa+Z7mrlkv+6+Hdyt/SWHM9DYlws
R7HP20o+KTR4vZkzabwaHRRVbFLe486DKBukNXcfoY0v0Rh3K8Mj78rIO6Jj+EQWcHe9
aIs4Csk2CwfTnTAjuho723+1GfIts1h7nDRQzZ55eQEg7ZHezzrtadTXfJNk7XbOaHtn
PZvg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20260327;
h=errors-to:content-transfer-encoding:list-subscribe:list-help
:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
:mime-version:references:in-reply-to:message-id:date:to:from
:dkim-signature:dkim-signature:dkim-signature;
bh=JLJ9hG1mdALqT/xEkUR8KJhaZyKxZrAjIhJdsgXGz0A=;
fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
b=g8bdfUS+VP3vXjX2Mgau2kiPzc/ETo5y4/6mesKMc98XNNRXLWom8LqFA61nyLg7fz
JK5DpCLSllmGrTGj9nyXeUuMEqZuoygqMiQvEVDhpnYW0VtgmZ/oFtFsykKbtWc3oRBC
3mWnVgBysQBps2uhzQfj0U6NoO5DUfzh6sjwJp0fLow+MJGpnoa3yPGfAgH3Sah4phQi
i0V8fKpu1M/3ONaCc2JVyfgJs4xrGoLO06PLrRFTa0JcYk/pKTBJLhUEPE3C8k8IibSq
C/0gGqrEpLxvRKG+AhfUESyMe/GsmxrxV8D6d/lQ5U+B18r4jBuKyyX4UCr8JehxuuTl
5QYg==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=NwYLlUaj;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b="kVb/ajdT";
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b="R/FK4CZs";
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
586e51a60fabf-4472f225db1si6527159fac.246.2026.06.22.05.09.20
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Mon, 22 Jun 2026 05:09:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=NwYLlUaj;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b="kVb/ajdT";
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b="R/FK4CZs";
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
bh=JLJ9hG1mdALqT/xEkUR8KJhaZyKxZrAjIhJdsgXGz0A=; b=NwYLlUajY+rKv308AzzP5b+bmi
SlV7P5jaH+TJaFlqhyhsiP2v/duw9w6PlzPdYW7Tp8TELAGcUwb5WEvX2dcBi+OMXPDHmYJaG6QH6
TW6hxDwvatghrWt8JzUjJe3QCGoUyM6c9NuDNXYpbYH3XNLiG/GM1SOH+UkZubQl+nYw=;
Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com)
by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1wbdSj-0003Lj-Qp;
Mon, 22 Jun 2026 12:09:14 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <gert@blue4.greenie.muc.de>) id 1wbdSh-0003Lc-AU
for openvpn-devel@lists.sourceforge.net;
Mon, 22 Jun 2026 12:09:12 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=mOAtBA3XSNDElyLnFD7em1xv64hgr355xDnUMzI87vM=; b=kVb/ajdTveUUcKlbisZcGyDSDo
dLxafQorXb+HM7yAworRFSY6cRdT38CcfZmoyt3ZRRWFEeZdvl7lo1m4LEbMWYgVZQSMEmN1s8KM3
fjCQZPrwuqZCSwQJmi393Re95qXj7WEsWudPGU7wdBofbED3ubGKRcHWr1eRplllm9bs=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=mOAtBA3XSNDElyLnFD7em1xv64hgr355xDnUMzI87vM=; b=R/FK4CZs3KkMCezD28pQYw933N
I0OOg80Rip5g8DKmKstNU+J+iCXK+Iwk+D1hkSDKWS0dyTCs4KIUHIkfThu0PGJ6TW4yP1BSZx5cp
uNzpUpyRUgScM7UFn9M9J/MUE0UrTd4IYGh6kPeygN5iu3fWV0/h4Blotvk042EOTSmk=;
Received: from [193.149.48.129] (helo=blue.greenie.muc.de)
by sfi-mx-2.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
id 1wbdSf-0003wR-JA for openvpn-devel@lists.sourceforge.net;
Mon, 22 Jun 2026 12:09:11 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 65MC8vG6021605
for <openvpn-devel@lists.sourceforge.net>; Mon, 22 Jun 2026 14:08:57 +0200
Received: (from gert@localhost)
by blue.greenie.muc.de (8.18.2/8.18.1/Submit) id 65MC8voa021604
for openvpn-devel@lists.sourceforge.net; Mon, 22 Jun 2026 14:08:57 +0200
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Mon, 22 Jun 2026 14:08:51 +0200
Message-ID: <20260622120856.21586-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.53.0
In-Reply-To:
<gerrit.1782077103000.I49b37b5a90554fa2d4a83c8fc5608dad2a36b835@gerrit.openvpn.net>
References:
<gerrit.1782077103000.I49b37b5a90554fa2d4a83c8fc5608dad2a36b835@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software,
running on the system "sfi-spamd-1.hosts.colo.sdot.me",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: From: Antonio Quartulli <antonio@mandelbit.com> struct
dns_options
embeds its own gc_arena. When inherit_context_child() /inherit_context_top()
copy struct options by value,
the child shares the parent's DNS arena. options_detach()
detached o->gc b [...]
Content analysis details: (1.3 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1wbdSf-0003wR-JA
Subject: [Openvpn-devel] [PATCH v3] options: fix use-after-free of DNS
options on client connect
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: 1868698917435598177
X-GMAIL-MSGID: 1868698917435598177
|
| Series |
[Openvpn-devel,v3] options: fix use-after-free of DNS options on client connect
|
|
Commit Message
Gert Doering
June 22, 2026, 12:08 p.m. UTC
From: Antonio Quartulli <antonio@mandelbit.com> struct dns_options embeds its own gc_arena. When inherit_context_child() /inherit_context_top() copy struct options by value, the child shares the parent's DNS arena. options_detach() detached o->gc but not o->dns_options.gc, so pre_connect_restore()'s gc_free() (and context teardown) freed allocations the parent still referenced. With one or more non-pushed --dhcp-option directives that yield a DNS entry, a connecting client triggers this and the server crashes (use-after-free in setenv_dns_options(), reported as a double free). Detach o->dns_options.gc as well, mirroring the existing o->gc handling. Change-Id: I49b37b5a90554fa2d4a83c8fc5608dad2a36b835 GitHub: closes openvpn/OpenVPN#1060 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1715 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1715 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe <arne-openvpn@rfc2549.org>
diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 0c2866c..75bd87c 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1531,7 +1531,18 @@ void options_detach(struct options *o) { + /* The options struct carries two gc_arena's (one generic and one specific + * to the DNS settings), which the by-value options + * copy in inherit_context_child()/inherit_context_top() shares with the + * source. + * + * Detach both (i.e. re-initialize them), otherwise child's call of + * gc_free() (or context teardown) would free allocations the source + * context still references, leading to a use-after-free (and subsequent + * double-free). + */ gc_detach(&o->gc); + gc_detach(&o->dns_options.gc); o->routes = NULL; o->client_nat = NULL; clone_push_list(o);