Hi Gert and devs! While I was working on the modified version of OpenVPN and tracing through the SSL library, I found what I think is a potential invalid memory index access. I wanted to verify with you all if this could be correct.
https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/ssl.c#L3682 https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/ssl_common.h#L712 In this file and that line number there is an integer i that is outside the for loop so that it can look for the matching session key index number. However, there is an if statement after the loop which checks for the following conditions: if (i == TM_SIZE && is_hard_reset_method2(op)) If the key is not found, i will equal TM_SIZE but if the second condition is false for whatever reason, the code will enter the else block and during my debugging, it entered into an invalid index of the array! struct tls_session *session = &multi->session[i]; (-> multi->session[TM_SIZE] !) And as you can see, the session array is only sized for this amount: struct tls_session session[TM_SIZE]; In my modified version I wasn't sure of when this hard reset check condition would be true but to prevent an invalid memory access I changed my code to be this instead: if (i == TM_SIZE || is_hard_reset_method2(op)) That way it helps to protect the else block and from potentially going into an invalid index number in the worst case. Does this seem correct to anyone else or am I missing something else here? Thanks again, Jon C
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
