On Thu, Jun 3, 2021 at 8:32 AM Matthias Andree <matthias.and...@gmx.de> wrote: > > A server pushing "echo" without arguments can crash the client. > In such a situation, the code in question receives p[1] == NULL > (which was CLEAR(p)'ed above), hands it strncmp, which then > dereferences the null pointer. > > Original report and analysis here: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256331 > > Fixes: Trac #1409 > Reported-by: p...@nethead.se (to FreeBSD) > Signed-off-by: Matthias Andree <matthias.and...@gmx.de> > --- > src/openvpn/options.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > index 8d417206..a54bc562 100644 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -5365,7 +5365,7 @@ add_option(struct options *options, > { > /* only message-related ECHO are logged, since other ECHOs > * can potentially include security-sensitive strings */ > - if (strncmp(p[1], "msg", 3) == 0) > + if (p[1] && strncmp(p[1], "msg", 3) == 0) > { > msg(M_INFO, "%s:%s", > pull_mode ? "ECHO-PULL" : "ECHO",
Argh.. good to see already committed. I take all the blame for acking the original.. This may take the award for the easiest bug to reproduce: just run "openvpn --echo" no server, no config file required. Selva _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
