Fix SIGSEGV (NULL deref) receiving push "echo"

A server pushing "echo" without arguments can crash the client.
In such a situation, the code in question receives p[1] == NULL
(which was CLEAR(p)'ed above), hands it strncmp, which then
dereferences the null pointer.

Original report and analysis here:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256331

Fixes: Trac #1409
Reported-by: peo@nethead.se (to FreeBSD)
Signed-off-by: Matthias Andree <matthias.andree@gmx.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210603123019.422644-1-matthias.andree@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22486.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 8d4172063431a8394f6aac68b12b1a3ac1a75615..a54bc562f73ee1fdeb58e88a9f54b32e60f10cd3 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -5365,7 +5365,7 @@ add_option(struct options *options,
         {
             /* only message-related ECHO are logged, since other ECHOs
              * can potentially include security-sensitive strings */
-            if (strncmp(p[1], "msg", 3) == 0)
+            if (p[1] && strncmp(p[1], "msg", 3) == 0)
             {
                 msg(M_INFO, "%s:%s",
                     pull_mode ? "ECHO-PULL" : "ECHO",