upstream/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2026-05-28 04:03:29 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fix use-after-free bug in prepare_push_reply()

Browse source 
This was introduced by commit dfd3513e, which changes the push_cipher
memory allocation from the options gc to a temporary gc.  For the
ciphername in the options structure, which has to be available longer,
change this back to using the options gc.

Apologies for not spotting this during patch review.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1476905060-29896-1-git-send-email-steffan@karger.me>
URL: http://www.mail-archive.com/search?l=mid&q=1476905060-29896-1-git-send-email-steffan@karger.me
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
Steffan Karger 2016-10-19 21:24:20 +02:00 committed by Gert Doering
parent a47d34920a
commit 83fdae3e9c
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/openvpn/push.c
View file

@ -366,7 +366,7 @@ prepare_push_reply (struct context *c, struct gc_arena *gc,
{
/* Push the first cipher from --ncp-ciphers to the client.
* TODO: actual negotiation, instead of server dictatorship. */
char *push_cipher = string_alloc(o->ncp_ciphers, gc);
char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc);
o->ciphername = strtok (push_cipher, ":");
push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
}