From patchwork Sat Dec  6 20:58:16 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gert Doering <gert@greenie.muc.de>
X-Patchwork-Id: 4657
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:6c3:b0:7b1:439f:bdf with SMTP id j3csp10808165maw;
        Sat, 6 Dec 2025 12:58:44 -0800 (PST)
X-Forwarded-Encrypted: i=2;
 AJvYcCVrYckQaQs9RcDwfdlzIotyWG8HAItXydsJmtN1KKjXkI3XVBsxBzDWkDLYwaZkykpmu/Lhtioh7QA=@openvpn.net
X-Google-Smtp-Source: 
 AGHT+IEdfeN+ST0R8IG/2CkC/gH5NNsBTRH7p95oCA8O9n1gn3UR0LXbqEVV3eOjVo6PvFmZNR7e
X-Received: by 2002:a05:6808:10d4:b0:453:316a:7782 with SMTP id
 5614622812f47-4539d1a3536mr1804512b6e.14.1765054724352;
        Sat, 06 Dec 2025 12:58:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1765054724; cv=none;
        d=google.com; s=arc-20240605;
        b=U/nNLB7/rmYdfxnd9innbAwQ4BuGWveGFqzkLCq6B8GGtByV0vBg7e5o7lVEgdrG+Z
         YLQYcwm1jWdMTs6U9Ryp4XC9Pz62eW3JWUHhq8m3fkaMuTQNh1qoHmPbuEEo2CmxVaVB
         nR17A9FZNAM7qVsyoLL9glFv+8W/BUJj0O0W7mlfetPFB6zpowLciCkGbjonFHpbZsHk
         xgd/R0HuGCco74cNQaDUYhzklulD/mtEV7mchEPhGT8aLNIB4BqPspTD/idtlkFQ+4hz
         SIgEH4khgkLb2zCImG8hXVdcQgF64igLlVbaPIHi6fGjDqj53IEZr/tSJrf0Tak/icQY
         BvWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=H8cz0E3Pu/rBa/dPeKp1I6fC8XrPTUJXYHmNVvMl2XU=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=AqnyJLZi8hCugLka4RVTKFMgcxog8XkjoT/1MdaJuV4+gLXccyDa+7hP2eIoBC2gSJ
         fzD5+IpQjfZY1JvZZsIvxMkUG+z112w9eqt9QjQXC+D0w7K92tW7l4AcITHJbZfGpwmz
         aCT2cAv3Qg8QEFOJQf4y1Iyr8J28RSya7EGeTjpR7+bTSwmcXZTf2HZv3c2oX8ycOCpN
         AzMujowtcB+ajmpD2KGt9Df5TgqHCFnZKfy3sWbT1MtxEgYK5zza9oghe1i+x6VggfGg
         UN0QzZFkzhBT77VUty1JZ1YwOJsRi5cdGheZmyemULLRg9IVKj3AzqVY4zzEon5st/j8
         VSdQ==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=VABwPuDl;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=DcY5WTcA;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=mjgHQNEE;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 5614622812f47-4537f8a03e5si6049488b6e.21.2025.12.06.12.58.44
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 06 Dec 2025 12:58:44 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=VABwPuDl;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=DcY5WTcA;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=mjgHQNEE;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
	Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=H8cz0E3Pu/rBa/dPeKp1I6fC8XrPTUJXYHmNVvMl2XU=; b=VABwPuDlihdJ+8XpdqsnbpZiYH
	zUnYENe3M/kh0P5Ych88+4RM12nA8zd7mPBZo8GX2zLRWAYweT0D6vxn3jFK/zQw9/ZLr1qeXyPWs
	fEwRrJ+LpuHjZb608XtswGuQL/p90RLsWIJ6QGbD4R4hb3/VnyufjK7Dtux7Fz3k164Y=;
Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com)
	by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1vRzMX-00043w-Ju;
	Sat, 06 Dec 2025 20:58:41 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gert@blue4.greenie.muc.de>) id 1vRzMW-00043q-51
 for openvpn-devel@lists.sourceforge.net;
 Sat, 06 Dec 2025 20:58:40 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=1fA08NmSChtVud5cbiqNbVJZEY5GH3ywJZ8PJ/qztEU=; b=DcY5WTcAhyJKfQJqnGEtAzt8Yh
 0lZf+HG9MdwnTClANPYk2z8lTqiR0ovnVJ2PUV6Uy0W2n6Xr+cpxHlbK9CkWzz4E68sYoAlM8AnD9
 9R/8vPR2ZphOT/suwuVH+2uS4Dr4dn3id2rnMLIvL4sOo+k1WhN4H2boS2ybnTY7xroY=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=1fA08NmSChtVud5cbiqNbVJZEY5GH3ywJZ8PJ/qztEU=; b=mjgHQNEEfaUIW5pupCzjm556YZ
 Eg1Mmicgqp3BOFFe8G/8PDrEXrytIrUNoiG6v1tIRUWWZZQ2piKP7H4/LWYwszaAJaEuh1juNYKHJ
 PDIbiPczL65++rWgAMLHoPSwSMongMDiZoGJPzgwgrFhkEj77ujmnzMr/vrxVDyiQ0eg=;
Received: from [193.149.48.134] (helo=blue.greenie.muc.de)
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1vRzMU-0007hk-Qv for openvpn-devel@lists.sourceforge.net;
 Sat, 06 Dec 2025 20:58:39 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
 by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5B6KwWek027277
 for <openvpn-devel@lists.sourceforge.net>; Sat, 6 Dec 2025 21:58:32 +0100
Received: (from gert@localhost)
 by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5B6KwWdX027276
 for openvpn-devel@lists.sourceforge.net; Sat, 6 Dec 2025 21:58:32 +0100
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Sat,  6 Dec 2025 21:58:16 +0100
Message-ID: <20251206205829.27254-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.51.2
In-Reply-To: 
 <gerrit.1765054252000.I0d592d9d0c7ead296869f933c206c5d55e6cbed1@gerrit.openvpn.net>
References: 
 <gerrit.1765054252000.I0d592d9d0c7ead296869f933c206c5d55e6cbed1@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-2.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Steffan Karger <steffan@karger.me> Instead of crashing
 because we feed a NULL pointer to strlen(), gracefully exit with an error
 message. While at it, improve the error message a bit.
 Content analysis details:   (1.3 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1vRzMU-0007hk-Qv
Subject: [Openvpn-devel] [PATCH v1] mbedtls: gracefully exit if certificate
 file is NULL
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1850794022496603540?=
X-GMAIL-MSGID: =?utf-8?q?1850794022496603540?=

From: Steffan Karger <steffan@karger.me>

Instead of crashing because we feed a NULL pointer to strlen(),
gracefully exit with an error message.

While at it, improve the error message a bit.

Change-Id: I0d592d9d0c7ead296869f933c206c5d55e6cbed1
Reported-By: Joshua Rogers <contact@joshua.hu>
Found-by: ZeroPath (https://zeropath.com/)
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1419
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1419
This mail reflects revision 1 of this Change.

Acked-by according to Gerrit (reflected above):
Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 83fca78..3440319 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -466,10 +466,14 @@
 
     if (cert_inline)
     {
+        if (!cert_file)
+        {
+            msg(M_FATAL, "Cannot load inline certificate: NULL");
+        }
         if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, (const unsigned char *)cert_file,
                                             strlen(cert_file) + 1)))
         {
-            msg(M_FATAL, "Cannot load inline certificate file");
+            msg(M_FATAL, "Cannot load inline certificate");
         }
     }
     else