From patchwork Sat Dec  6 20:54:53 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gert Doering <gert@greenie.muc.de>
X-Patchwork-Id: 4656
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:6c3:b0:7b1:439f:bdf with SMTP id j3csp10807424maw;
        Sat, 6 Dec 2025 12:55:38 -0800 (PST)
X-Forwarded-Encrypted: i=2;
 AJvYcCU92X9Z6WsP+PcAXb54Ws0EqzrGNecKGy/r0yE0HqB6ewogYPsWpTviacsYHZkIXgp8QUgzeM+ub2s=@openvpn.net
X-Google-Smtp-Source: 
 AGHT+IHnHuAcG/J1T7oPbhjKJnq3lmmGYw1WCKe6kuLdsggUpvVDX1mfVjFzSG2ZDxSMCtn75NNq
X-Received: by 2002:a05:6830:3492:b0:7c7:5a07:303e with SMTP id
 46e09a7af769-7c97085a9bcmr1820338a34.36.1765054537800;
        Sat, 06 Dec 2025 12:55:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1765054537; cv=none;
        d=google.com; s=arc-20240605;
        b=E8bcYqjCn+ky3kk8bZiilfDZVK6mmAAxwZkx9bvvAq1OJLdhJa8YixrZZmWMQZhSzz
         rYnTsSpr7EWSijojBKzIbHmTFPwyab0qoYv0oE8AfHTEkcaB0iUUCr2WuYiAvELWpcyZ
         c7Kw+QbhoRgcdMXVPfV4XG3kqL09ksqRUAgxm7RZlNuHyYX9ktO2RxEHbWGK0dFh6Mod
         h5ECEPEGHXtZZ1X8+cZU+SUiAtiC3hTAHk50iMK3ywjzPb1yJe8xnpfIbC4e+D85fTYf
         f9iloX3SHuJRy2ThtnwtXhSJIPBHtpxNu2ymn25sRFBc+iPJQ5+f/TI61nDJ7ODcTCdL
         /a7Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=i+qmytSyb0QcljQoK21IFPfmzW2PktPvxgncEe/rmyQ=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=IuPJyx/WQBINgvzsu5PtouKdpm+KXYGGTqDjSYLIlwGTtsIaY6Cy09hXh7hv085c1p
         hQScCdldBCtHXeXAOesZHwRBgx9/aVC1bkt+ZYOOsm2jBJINjLZdRoxO9KLTXrm+WKw+
         e1IYK4ogZStAoBcjn9VrMOqSIZpOFW+BUXM5cqL5J8xN7VhEdYXvzGgf9H4OskVqHphI
         MHq8J3iMzR2R4/0F+IJ8xbaXWxzCX2OT/fiB15IE5VyPae/X8XQgM+Spy6AqdPVzywZZ
         ep73P+oR0DJC5W3Rc3snNe8aXjUeUU6pJJgDp4xqstwJgd2Go9EWbxrvtTZ7VcS5PJTz
         gz/g==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=L4hhkdd3;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=B0XVPXDI;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=hiOdK0SR;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 46e09a7af769-7c95a8f3ac3si5988377a34.107.2025.12.06.12.55.37
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 06 Dec 2025 12:55:37 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=L4hhkdd3;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=B0XVPXDI;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=hiOdK0SR;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
	Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=i+qmytSyb0QcljQoK21IFPfmzW2PktPvxgncEe/rmyQ=; b=L4hhkdd3gd3s/2v36HHV0A+cfX
	S9sdzqTWSdjAayOBZyHQzYNEae/pRflRSjbttMyMhRerzJZsJAE/Xuv6XTOMfeugwvZv8GXPQit6E
	riMgYFm0X9uIEA1xo9e/2+dDL6KcEnFjPrehB7oEcM2lzGF23zITA2hW3MnO2FCdYJUk=;
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1vRzJW-0001Nq-Bq;
	Sat, 06 Dec 2025 20:55:35 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gert@blue4.greenie.muc.de>) id 1vRzJA-0001LP-Li
 for openvpn-devel@lists.sourceforge.net;
 Sat, 06 Dec 2025 20:55:13 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=3gY6yI/B/Tv4Ry5QgrAx0d4awfvdvgwZzCECDHTYqdU=; b=B0XVPXDIQ3WuvXXzjM0s7Gv2Zi
 071ob0N8g23eJVUzwrxOchkhW+Cm3aSKm4L2J62dXVTyHlgR6HeFVvrL7qQntRl29ziKrkLeLrnDV
 Kycs/rPzVXw3t8ppEvFQSq1pUQG3vRBV9+M1EGJEkHC+8clsnQStR9qEYRDuWgGPFSLk=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=3gY6yI/B/Tv4Ry5QgrAx0d4awfvdvgwZzCECDHTYqdU=; b=hiOdK0SRCLg0HdpwCdgiBX0qBs
 W5KT8a6upEvI7KFK2mJ9X8SbYxSFlnuiLMbmJf2mAh8GfoihP6L7hGUlBtcAtnHkq6ZSq0pdHWkfa
 QAG1qX4T7/tHriRvAUVi+B+ytmmuTTvestkmR9kX9VxjMKEjXlJrNhACIKYAQGpq8FhI=;
Received: from [193.149.48.134] (helo=blue.greenie.muc.de)
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1vRzJ4-0007Xb-Kn for openvpn-devel@lists.sourceforge.net;
 Sat, 06 Dec 2025 20:55:07 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
 by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5B6KsxvF027048
 for <openvpn-devel@lists.sourceforge.net>; Sat, 6 Dec 2025 21:54:59 +0100
Received: (from gert@localhost)
 by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5B6KsxG7027047
 for openvpn-devel@lists.sourceforge.net; Sat, 6 Dec 2025 21:54:59 +0100
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Sat,  6 Dec 2025 21:54:53 +0100
Message-ID: <20251206205458.27028-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.51.2
In-Reply-To: 
 <gerrit.1765030148000.I99a6604fdfc682f9609bfe7672aa78285084dcb9@gerrit.openvpn.net>
References: 
 <gerrit.1765030148000.I99a6604fdfc682f9609bfe7672aa78285084dcb9@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-2.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  From: Klemens Nanni <kn@openbsd.org> `get_addr_generic()`
 expects `openvpn_getaddrinfo()` to return a newly allocated struct,
 but getaddrinfo(3)
 failure leaves `*ai = NULL` as-is. Unlike free(3),
 freegetaddrinfo(3) requires
 a valid struct,
 thus the following is enough to trigger a NULL pointer dereference
 in libc: Content analysis details:   (1.3 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1vRzJ4-0007Xb-Kn
Subject: [Openvpn-devel] [PATCH v1] Prevent crash on invalid server-ipv6
 argument
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1850793827447392971?=
X-GMAIL-MSGID: =?utf-8?q?1850793827447392971?=

From: Klemens Nanni <kn@openbsd.org>

`get_addr_generic()` expects `openvpn_getaddrinfo()` to return a newly
allocated struct, but getaddrinfo(3) failure leaves `*ai = NULL` as-is.

Unlike free(3), freegetaddrinfo(3) requires a valid struct, thus the
following is enough to trigger a NULL pointer dereference in libc:

```
$ openvpn --server-ipv6 ''
2025-12-06 11:59:18 RESOLVE: Cannot resolve host address: :[AF_INET6] (no address associated with name)
Segmentation fault (core dumped)
```

Guard against empty `ai`, i.e. failure, like similar code already does:

```
$ ./openvpn --server-ipv6 ''
2025-12-06 12:05:11 RESOLVE: Cannot resolve host address: :[AF_INET6] (no address associated with name)
Options error: error parsing --server-ipv6 parameter
Use --help for more information.
```

Spotted through a configuration typo "server-ipv6 fd00:/64" with 2.6.17,
reproduced with and tested against 2.7rc3 on OpenBSD/amd64 7.8-current.

Change-Id: I99a6604fdfc682f9609bfe7672aa78285084dcb9
Signed-off-by: Klemens Nanni <kn@openbsd.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1418
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1418
This mail reflects revision 1 of this Change.

Acked-by according to Gerrit (reflected above):
Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 46bedf4..80c2895 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -189,7 +189,10 @@
         *sep = '/';
     }
 out:
-    freeaddrinfo(ai);
+    if (ai)
+    {
+        freeaddrinfo(ai);
+    }
     free(var_host);
 
     return ret;