From: Arne Schwabe <a...@rfc2549.org> When a key_state is in S_UNDEF the send_reliable is not initialised. So checking it might access invalid memory or null pointers.
Github: fixes OpenVPN/openvpn#449 Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac [a...@unstable.cc: add check for !send_reliable and message] Signed-off-by: Arne Schwabe <a...@rfc2549.org> Acked-by: Gert Doering <g...@greenie.muc.de> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/426 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <g...@greenie.muc.de> diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index cee4afe..b4cd8f5 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3189,6 +3189,22 @@ for (int i = 0; i < KS_SIZE; i++) { struct key_state *ks = &session->key[i]; + if (ks->state == S_UNDEF) + { + continue; + } + + /* we don't expect send_reliable to be NULL when state is + * not S_UNDEF, but people have reported crashes nonetheless, + * therefore we better catch this event, report and exit. + */ + if (!ks->send_reliable) + { + msg(M_FATAL, "ERROR: session->key[%d]->send_reliable is NULL " + "while key state is %s. Exiting.", + i, state_name(ks->state)); + } + for (int j = 0; j < ks->send_reliable->size; j++) { if (ks->send_reliable->array[i].buf.data == dataptr) _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
