From patchwork Mon Jun 22 12:08:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 5033 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a17:907:1047:b0:bfe:f811:79e7 with SMTP id oy7csp5834764ejb; Mon, 22 Jun 2026 05:09:22 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/4zk/Dp2lbrIbBWSCk4iTi9A4U8sU5IJZv0g0U5vQPaXvR9S9QYaOZceHbJz6T97j7zEvbmxtPwvo=@openvpn.net X-Received: by 2002:a05:687c:23c1:10b0:447:53a4:76f1 with SMTP id 586e51a60fabf-44753a4a601mr3391708fac.18.1782130162302; Mon, 22 Jun 2026 05:09:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1782130162; cv=none; d=google.com; s=arc-20260327; b=ORSozbQ8frli5yx7lxGheEpiBPt2HfE/VkV7dnyIgR50dcudvWrlttQE9qcrhSQoZG ihCwSVDFTJrzbk8tOFcXmDkzeiJXpBkL/07yxvoE1xCMnbz/7+bw+oVdYP20LX6mT3bF rzqCM/fF07Ia//x0al9GdNfXYHZ24OiqyoUaxVTmSa+Z7mrlkv+6+Hdyt/SWHM9DYlws R7HP20o+KTR4vZkzabwaHRRVbFLe486DKBukNXcfoY0v0Rh3K8Mj78rIO6Jj+EQWcHe9 aIs4Csk2CwfTnTAjuho723+1GfIts1h7nDRQzZ55eQEg7ZHezzrtadTXfJNk7XbOaHtn PZvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=JLJ9hG1mdALqT/xEkUR8KJhaZyKxZrAjIhJdsgXGz0A=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=g8bdfUS+VP3vXjX2Mgau2kiPzc/ETo5y4/6mesKMc98XNNRXLWom8LqFA61nyLg7fz JK5DpCLSllmGrTGj9nyXeUuMEqZuoygqMiQvEVDhpnYW0VtgmZ/oFtFsykKbtWc3oRBC 3mWnVgBysQBps2uhzQfj0U6NoO5DUfzh6sjwJp0fLow+MJGpnoa3yPGfAgH3Sah4phQi i0V8fKpu1M/3ONaCc2JVyfgJs4xrGoLO06PLrRFTa0JcYk/pKTBJLhUEPE3C8k8IibSq C/0gGqrEpLxvRKG+AhfUESyMe/GsmxrxV8D6d/lQ5U+B18r4jBuKyyX4UCr8JehxuuTl 5QYg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=NwYLlUaj; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="kVb/ajdT"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="R/FK4CZs"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-4472f225db1si6527159fac.246.2026.06.22.05.09.20 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Jun 2026 05:09:21 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=NwYLlUaj; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="kVb/ajdT"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="R/FK4CZs"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=JLJ9hG1mdALqT/xEkUR8KJhaZyKxZrAjIhJdsgXGz0A=; b=NwYLlUajY+rKv308AzzP5b+bmi SlV7P5jaH+TJaFlqhyhsiP2v/duw9w6PlzPdYW7Tp8TELAGcUwb5WEvX2dcBi+OMXPDHmYJaG6QH6 TW6hxDwvatghrWt8JzUjJe3QCGoUyM6c9NuDNXYpbYH3XNLiG/GM1SOH+UkZubQl+nYw=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wbdSj-0003Lj-Qp; Mon, 22 Jun 2026 12:09:14 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wbdSh-0003Lc-AU for openvpn-devel@lists.sourceforge.net; Mon, 22 Jun 2026 12:09:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=mOAtBA3XSNDElyLnFD7em1xv64hgr355xDnUMzI87vM=; b=kVb/ajdTveUUcKlbisZcGyDSDo dLxafQorXb+HM7yAworRFSY6cRdT38CcfZmoyt3ZRRWFEeZdvl7lo1m4LEbMWYgVZQSMEmN1s8KM3 fjCQZPrwuqZCSwQJmi393Re95qXj7WEsWudPGU7wdBofbED3ubGKRcHWr1eRplllm9bs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=mOAtBA3XSNDElyLnFD7em1xv64hgr355xDnUMzI87vM=; b=R/FK4CZs3KkMCezD28pQYw933N I0OOg80Rip5g8DKmKstNU+J+iCXK+Iwk+D1hkSDKWS0dyTCs4KIUHIkfThu0PGJ6TW4yP1BSZx5cp uNzpUpyRUgScM7UFn9M9J/MUE0UrTd4IYGh6kPeygN5iu3fWV0/h4Blotvk042EOTSmk=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wbdSf-0003wR-JA for openvpn-devel@lists.sourceforge.net; Mon, 22 Jun 2026 12:09:11 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 65MC8vG6021605 for ; Mon, 22 Jun 2026 14:08:57 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.2/8.18.1/Submit) id 65MC8voa021604 for openvpn-devel@lists.sourceforge.net; Mon, 22 Jun 2026 14:08:57 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 22 Jun 2026 14:08:51 +0200 Message-ID: <20260622120856.21586-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli struct dns_options embeds its own gc_arena. When inherit_context_child() /inherit_context_top() copy struct options by value, the child shares the parent's DNS arena. options_detach() detached o->gc b [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1wbdSf-0003wR-JA Subject: [Openvpn-devel] [PATCH v3] options: fix use-after-free of DNS options on client connect X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1868698917435598177 X-GMAIL-MSGID: 1868698917435598177 From: Antonio Quartulli struct dns_options embeds its own gc_arena. When inherit_context_child() /inherit_context_top() copy struct options by value, the child shares the parent's DNS arena. options_detach() detached o->gc but not o->dns_options.gc, so pre_connect_restore()'s gc_free() (and context teardown) freed allocations the parent still referenced. With one or more non-pushed --dhcp-option directives that yield a DNS entry, a connecting client triggers this and the server crashes (use-after-free in setenv_dns_options(), reported as a double free). Detach o->dns_options.gc as well, mirroring the existing o->gc handling. Change-Id: I49b37b5a90554fa2d4a83c8fc5608dad2a36b835 GitHub: closes openvpn/OpenVPN#1060 Signed-off-by: Antonio Quartulli Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1715 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1715 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 0c2866c..75bd87c 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1531,7 +1531,18 @@ void options_detach(struct options *o) { + /* The options struct carries two gc_arena's (one generic and one specific + * to the DNS settings), which the by-value options + * copy in inherit_context_child()/inherit_context_top() shares with the + * source. + * + * Detach both (i.e. re-initialize them), otherwise child's call of + * gc_free() (or context teardown) would free allocations the source + * context still references, leading to a use-after-free (and subsequent + * double-free). + */ gc_detach(&o->gc); + gc_detach(&o->dns_options.gc); o->routes = NULL; o->client_nat = NULL; clone_push_list(o);