Fix use-after-free bug in prepare_push_reply()

This was introduced by commit dfd3513e, which changes the push_cipher
memory allocation from the options gc to a temporary gc.  For the
ciphername in the options structure, which has to be available longer,
change this back to using the options gc.

Apologies for not spotting this during patch review.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1476905060-29896-1-git-send-email-steffan@karger.me>
URL: http://www.mail-archive.com/search?l=mid&q=1476905060-29896-1-git-send-email-steffan@karger.me
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index ee2eda47948f85c0caedb360f317d1de6ecff69a..a3de2a2a7c552424c908929d8bbac5f944a446f3 100644 (file)
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -366,7 +366,7 @@ prepare_push_reply (struct context *c, struct gc_arena *gc,
        {
          /* Push the first cipher from --ncp-ciphers to the client.
           * TODO: actual negotiation, instead of server dictatorship. */
-         char *push_cipher = string_alloc(o->ncp_ciphers, gc);
+         char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc);
          o->ciphername = strtok (push_cipher, ":");
          push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
        }