[Openvpn-devel] [XS] Change in openvpn[master]: options: fix use-after-free of DNS options on client connect

Sun, 21 Jun 2026 14:26:39 -0700 

Attention is currently required from: plaisthos.

Hello plaisthos,

I'd like you to do a code review.
Please visit

    http://gerrit.openvpn.net/c/openvpn/+/1715?usp=email

to review the following change.


Change subject: options: fix use-after-free of DNS options on client connect
......................................................................

options: fix use-after-free of DNS options on client connect

struct dns_options embeds its own gc_arena. When inherit_context_child()
/inherit_context_top() copy struct options by value, the child shares the
parent's DNS arena. options_detach() detached o->gc but not
o->dns_options.gc, so pre_connect_restore()'s gc_free() (and context
teardown) freed allocations the parent still referenced.

With one or more non-pushed --dhcp-option directives that yield a DNS
entry, a connecting client triggers this and the server crashes
(use-after-free in setenv_dns_options(), reported as a double free).

Detach o->dns_options.gc as well, mirroring the existing o->gc handling.

Change-Id: I49b37b5a90554fa2d4a83c8fc5608dad2a36b835
Signed-off-by: Antonio Quartulli <[email protected]>
---
M src/openvpn/options.c
1 file changed, 6 insertions(+), 0 deletions(-)



  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/15/1715/1

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 0c2866c..c1e417cc 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1532,6 +1532,12 @@
 options_detach(struct options *o)
 {
     gc_detach(&o->gc);
+    /* The DNS options carry their own gc_arena, which the by-value options 
copy
+     * in inherit_context_child()/inherit_context_top() shares with the source.
+     * Detach it too, otherwise pre_connect_restore()'s gc_free() (or context
+     * teardown) would free allocations the source context still references,
+     * leading to a use-after-free/double-free. */
+    gc_detach(&o->dns_options.gc);
     o->routes = NULL;
     o->client_nat = NULL;
     clone_push_list(o);

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1715?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings?usp=email

Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I49b37b5a90554fa2d4a83c8fc5608dad2a36b835
Gerrit-Change-Number: 1715
Gerrit-PatchSet: 1
Gerrit-Owner: ordex <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>

_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to