A server pushing "echo" without arguments can crash the client. In such a situation, the code in question receives p[1] == NULL (which was CLEAR(p)'ed above), hands it strncmp, which then dereferences the null pointer.
Original report and analysis here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256331 Fixes: Trac #1409 Reported-by: p...@nethead.se (to FreeBSD) Signed-off-by: Matthias Andree <matthias.and...@gmx.de> --- src/openvpn/options.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 8d417206..a54bc562 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -5365,7 +5365,7 @@ add_option(struct options *options, { /* only message-related ECHO are logged, since other ECHOs * can potentially include security-sensitive strings */ - if (strncmp(p[1], "msg", 3) == 0) + if (p[1] && strncmp(p[1], "msg", 3) == 0) { msg(M_INFO, "%s:%s", pull_mode ? "ECHO-PULL" : "ECHO", -- 2.31.1 _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
