Re: [Openvpn-devel] [PATCH ovpn net] ovpn: fix use after free in unlock_ovpn()

Antonio Quartulli Mon, 08 Jun 2026 07:20:37 -0700

From: Antonio Quartulli <[email protected]>


On Mon, 08 Jun 2026 16:04:46 +0200, Marco Baffo wrote:
> unlock_ovpn() iterates over the release_list using llist_for_each_entry()
> and drops the peer reference inside the loop body via ovpn_peer_put().
> 
> If this drops the last reference, the peer is eventually freed. However,
> llist_for_each_entry() reads peer->release_entry.next in the loop advance
> expression, which runs after the body. By that time the peer may have
> already been freed, resulting in a use after free when advancing to the
> next list entry.
> 
> [...]

Applied, thanks!

[1/1] ovpn: fix use after free in unlock_ovpn()
      commit: b53407df27741dc81a85e1aec63fefb1da19ee8d

Best regards,
-- 
Antonio Quartulli <[email protected]>


_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH ovpn net] ovpn: fix use after free in unlock_ovpn()

Reply via email to