From: Arne Schwabe <arne@rfc2549.org>
Date: Wed, 1 Mar 2023 13:44:55 +0000 (+0100)
Subject: Only update frame calculation if we have a valid link sockets
X-Git-Tag: v2.7_alpha1~511
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2d17869f8d9d8e27f64f1a7cd1514fbbb768807b;p=thirdparty%2Fopenvpn.git

Only update frame calculation if we have a valid link sockets

Without this, we will caculate a pointer to the linksocket relative to a
null pointer in get_link_socket_info(), which itself does not crash and
the pointer seems not to be accessed later, so we do not get a crash here.

This is still not the correct behaviour and the undefined behaviour
sanitiser from llvm/clang finds this.

Change-Id: I82a20ac72f60f8770ea1b4ab0c8cdea31868abe7
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230301134455.2810114-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26318.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index fa2681dc7..3a6f624fd 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -4687,14 +4687,15 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f
     if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
     {
         link_socket_init_phase2(c);
-    }
 
-    /* Update dynamic frame calculation as exact transport socket information
-     * (IP vs IPv6) may be only available after socket phase2 has finished.
-     * This is only needed for --static or no crypto, NCP will recalculate this
-     * in tls_session_update_crypto_params (P2MP) */
-    frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options,
-                            get_link_socket_info(c));
+
+        /* Update dynamic frame calculation as exact transport socket information
+         * (IP vs IPv6) may be only available after socket phase2 has finished.
+         * This is only needed for --static or no crypto, NCP will recalculate this
+         * in tls_session_update_crypto_params (P2MP) */
+        frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options,
+                                get_link_socket_info(c));
+    }
 
     /*
      * Actually do UID/GID downgrade, and chroot, if requested.