From patchwork Thu Jun 3 02:30:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthias Andree X-Patchwork-Id: 1845 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.27.255.50]) by backend30.mail.ord1d.rsapps.net with LMTP id IBLCC77LuGCbCgAAIUCqbw (envelope-from ) for ; Thu, 03 Jun 2021 08:31:58 -0400 Received: from proxy14.mail.iad3a.rsapps.net ([172.27.255.50]) by director7.mail.ord1d.rsapps.net with LMTP id SMaVC77LuGC2HgAAovjBpQ (envelope-from ) for ; Thu, 03 Jun 2021 08:31:58 -0400 Received: from smtp4.gate.iad3a ([172.27.255.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.iad3a.rsapps.net with LMTPS id cKjoOsDLuGDBQQAA1+b4IQ (envelope-from ) for ; Thu, 03 Jun 2021 08:32:00 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp4.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmx.net; dmarc=fail (p=none; dis=none) header.from=gmx.de X-Suspicious-Flag: YES X-Classification-ID: af999c60-c467-11eb-a490-5254003c557e-1-1 Received: from [216.105.38.7] ([216.105.38.7:37096] helo=lists.sourceforge.net) by smtp4.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id E1/5A-26024-DBBC8B06; Thu, 03 Jun 2021 08:31:57 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1lomUq-0002i0-6A; Thu, 03 Jun 2021 12:30:48 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1lomUo-0002ht-M1 for openvpn-devel@lists.sourceforge.net; Thu, 03 Jun 2021 12:30:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ZXCrx0xuKLBHCGimprtqLd/1OxH8lN+rZoXFDUnpbqo=; b=SsLJGvJ/TG4PV99pTPWZqbV56b km/jCt9XbLYoRVKLBfyTcBqWb7WgBJ3tg4T/zCVB+m7guoA+Xm8dabKwTmNDFJNJKX5ocdu3CLqvK XT+HqgNuoDiLBC0Crs/ogwnaFV3iZhtdsZTe4zjYlv+X/HiMUh+pNqHd+uYrcCDNuyXA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=ZXCrx0xuKLBHCGimprtqLd/1OxH8lN+rZoXFDUnpbqo=; b=e rSDvZbKYHP1bxflAcyszJnHNBgzuWQxpPRLyC7jpMDtH9Jb27G2/UJN9s6gAkIWPNopAijHO9f+46 3WtHGItGOnxgCsRRLhgrOSzb0Q1HuoQKNtqULZ+mbP8ppIs0gTCFI9/NZTj9gyK7kpvTtWxRIpQve 6Y0Zd42HNduPe1rg=; Received: from mout.gmx.net ([212.227.15.19]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lomUi-008tCK-Kt for openvpn-devel@lists.sourceforge.net; Thu, 03 Jun 2021 12:30:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1622723430; bh=IwfvYezCNx5TMCgHFayPClc1pADd38gSH10k15AeL0U=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=Ma489iYxbPf3z8/iAQRBpvXfBemna2q2NGbOImRjnL/7qUDscL9kIA6bsEjJ0VsEs S6uFwmpsxa4HgBOiPTuh5Gp2l+M41siU/h9eA/BAl3vAUR+iFZY9DTv2jh/lBNr/AR LbUO5sb3Vs1gf8tTX6ynF1LMH9e5leV464rEMsno= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from mandree.no-ip.org ([79.229.36.43]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MC34h-1lfBZT2lET-00CTcm; Thu, 03 Jun 2021 14:30:30 +0200 Received: by ryzen.an3e.de (Postfix, from userid 1000) id 1727012132B; Thu, 3 Jun 2021 14:30:30 +0200 (CEST) From: Matthias Andree To: openvpn-devel@lists.sourceforge.net Date: Thu, 3 Jun 2021 14:30:19 +0200 Message-Id: <20210603123019.422644-1-matthias.andree@gmx.de> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 X-Provags-ID: V03:K1:DdRhoRui9hD0F59Bm/nW8tKbzxKM44D+TLOXeFMGh+Kka0aMalT J6biIhkGsKB8tU4FWzy2IAg49vUb6RzuY+fAVwrt8mNuVqcIvMIDzGSnwhoRLUzfUz0yk9V 5ZkX9A73BHQslYpzxRqvCrS/1EE7nId4CQloBFHBSYy/A1TH/w+/e7J7B2JTheTAp8pcYRV ZcZQIztTFLafS2hvi5G7g== X-UI-Out-Filterresults: notjunk:1;V03:K0:ia5cDAiHqzw=:QNMOBFE/WNsUBCuB1vlPMg eO2EDv+esbF/a3qA1Vq/5lR5+PxVsy6di88aD3vBw/36K0P9bZh5Iw9pXwtUg0JqoKBkH4xdh e/K0C+Pkti7m+VaUlMg1F5tedBbTe+sqSLJzjzUgN7nhTBYsSATSEaVNMhc1zHerS2MTZi6WN 43OJw3mRilXXG38g44tNxC9wIEVg6ydE+zjN+bujuTTVfi/9CwxOJyAUbBEHeJ/cc/ApNtr6B p/YAR/SG5LbZE3k2hjHKi1G4TozpkrfzaO/9nNh9aipr6zkAAG5E8Y5+L9USg2YeloLWMArTV DsMN5HQTtFeKS/buQUQ9ETVzvBpYZYgDbqKlmIkxhCHnePlROIuzMnwe1n49nnPL6WOLLeMZX yLUeqy1IFpfLyxjKuS4aEEwXinnonek5LV3eXGausBqh6cPueSYv2IEaI3BhEIgQk42pSI+3O /7kcLsxwzJo/GTim3y287IZ2tRAsLdZuYOl9Kze7OVmDlOop0LZdTyf0lEi+iLQAghzuO0qAo WxwT2WNE9+xp8XEtEn1/JbJx7a2ZIwu+CHY0VU8YPUrq+m6PPgb1A4FVPDvM1aVUSXDG7m+PG c8nSJWRWy/QQElM1hEIPr1EBh21dFDj9RsDWMshMRRGdam841lJLKS4Azlx5k9Qo3na70iadA OuHf4Q5bNXpJ0YUn46X6At4vWtXqIxdKXoNIgfz/zrgP9PzgvWMzEKq2R0k2gIxzdGWxdVqaP e1ZmDi0klHRtjRAnR2b5inKIVKG1Wi+0+9GIbrJ22dcEywjb/mUCgI9vbqQS9eifxXeuMush4 7nFeLiiu8QBCFaDOUiYHQ84nAu8HLjG8xSJiyo1ZI2yCg6JLht6NksCki3uqo9YxGTO7yPgsz Mu5gcdfSSn9f/Wg1np2M0X3hJ5ddHxQ1ZzjJanvpT7P1OBILYSS4FLemTZCPVUvgtWXOXzCZN lK2mBoU/AH9LXjnU0tWE672YFfKMwlEy8nqkMWUqZ/v/j3KFk9jwsBslgR6BW5sKUd3O+cdZp uZy34mjT2ZHMLlPLU1ASyOl47y/hoVbrOUON7EAuNgm4m6MMafG9ZoeVCA70lZDP1+XnqZDJ0 4XSKxl+5hgfJCD2Brg0+IMKURBQYY3yX2Pz91Jv76Nj87h4DhtaT8aSBQ== X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: gmx.de] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (matthias.andree[at]gmx.de) 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [212.227.15.19 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1lomUi-008tCK-Kt Subject: [Openvpn-devel] [PATCH] Fix SIGSEGV (NULL deref) receiving push "echo" X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: peo@nethead.se, Matthias Andree Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox A server pushing "echo" without arguments can crash the client. In such a situation, the code in question receives p[1] == NULL (which was CLEAR(p)'ed above), hands it strncmp, which then dereferences the null pointer. Original report and analysis here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256331 Fixes: Trac #1409 Reported-by: peo@nethead.se (to FreeBSD) Signed-off-by: Matthias Andree Acked-by: Gert Doering --- src/openvpn/options.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.31.1 diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 8d417206..a54bc562 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -5365,7 +5365,7 @@ add_option(struct options *options, { /* only message-related ECHO are logged, since other ECHOs * can potentially include security-sensitive strings */ - if (strncmp(p[1], "msg", 3) == 0) + if (p[1] && strncmp(p[1], "msg", 3) == 0) { msg(M_INFO, "%s:%s", pull_mode ? "ECHO-PULL" : "ECHO",