cron2 has uploaded a new patch set (#4) to the change originally created by ordex. ( http://gerrit.openvpn.net/c/openvpn/+/1715?usp=email )
The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: options: fix use-after-free of DNS options on client connect ...................................................................... options: fix use-after-free of DNS options on client connect struct dns_options embeds its own gc_arena. When inherit_context_child() /inherit_context_top() copy struct options by value, the child shares the parent's DNS arena. options_detach() detached o->gc but not o->dns_options.gc, so pre_connect_restore()'s gc_free() (and context teardown) freed allocations the parent still referenced. With one or more non-pushed --dhcp-option directives that yield a DNS entry, a connecting client triggers this and the server crashes (use-after-free in setenv_dns_options(), reported as a double free). Detach o->dns_options.gc as well, mirroring the existing o->gc handling. Change-Id: I49b37b5a90554fa2d4a83c8fc5608dad2a36b835 GitHub: closes openvpn/OpenVPN#1060 Signed-off-by: Antonio Quartulli <[email protected]> Acked-by: Arne Schwabe <[email protected]> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1715 Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg37230.html Signed-off-by: Gert Doering <[email protected]> --- M src/openvpn/options.c 1 file changed, 11 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/15/1715/4 diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 8012192..f414024 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1531,7 +1531,18 @@ void options_detach(struct options *o) { + /* The options struct carries two gc_arena's (one generic and one specific + * to the DNS settings), which the by-value options + * copy in inherit_context_child()/inherit_context_top() shares with the + * source. + * + * Detach both (i.e. re-initialize them), otherwise child's call of + * gc_free() (or context teardown) would free allocations the source + * context still references, leading to a use-after-free (and subsequent + * double-free). + */ gc_detach(&o->gc); + gc_detach(&o->dns_options.gc); o->routes = NULL; o->client_nat = NULL; clone_push_list(o); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1715?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I49b37b5a90554fa2d4a83c8fc5608dad2a36b835 Gerrit-Change-Number: 1715 Gerrit-PatchSet: 4 Gerrit-Owner: ordex <[email protected]> Gerrit-Reviewer: cron2 <[email protected]> Gerrit-Reviewer: flichtenheld <[email protected]> Gerrit-Reviewer: plaisthos <[email protected]> Gerrit-CC: openvpn-devel <[email protected]>
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
