From: Arne Schwabe <a...@rfc2549.org> The inner loop used i instead of j when iterating through the buffers. Since i is always between 0 and 2 and ks->send_reliable->size is (when it is defined) always 6 (TLS_RELIABLE_N_SEND_BUFFERS) this does not cause an index of out bounds. So while the check is not doing anything really useful with i instead of j, it at least is not crashing or anything similar.
Noticed-By: Jon Williams (braindead-bf) on Github issue #449 Change-Id: Ia3d5b4946138df322ebcd9e9e77d04328dacbc5d Signed-off-by: Arne Schwabe <a...@rfc2549.org> Acked-by: Frank Lichtenheld <fr...@lichtenheld.com> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/459 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <fr...@lichtenheld.com> diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 400230c..b5d24b5 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3207,7 +3207,7 @@ for (int j = 0; j < ks->send_reliable->size; j++) { - if (ks->send_reliable->array[i].buf.data == dataptr) + if (ks->send_reliable->array[j].buf.data == dataptr) { msg(M_INFO, "Warning buffer of freed TLS session is still in" " use (session->key[%d].send_reliable->array[%d])", _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel