From: Steffan Karger <steffan@karger.me>
Date: Wed, 19 Oct 2016 19:24:20 +0000 (+0200)
Subject: Fix use-after-free bug in prepare_push_reply()
X-Git-Tag: v2.4_alpha2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=83fdae3e9c482a3d3ceca484d96e1241359a0450;p=thirdparty%2Fopenvpn.git

Fix use-after-free bug in prepare_push_reply()

This was introduced by commit dfd3513e, which changes the push_cipher
memory allocation from the options gc to a temporary gc.  For the
ciphername in the options structure, which has to be available longer,
change this back to using the options gc.

Apologies for not spotting this during patch review.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1476905060-29896-1-git-send-email-steffan@karger.me>
URL: http://www.mail-archive.com/search?l=mid&q=1476905060-29896-1-git-send-email-steffan@karger.me
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index ee2eda479..a3de2a2a7 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -366,7 +366,7 @@ prepare_push_reply (struct context *c, struct gc_arena *gc,
 	{
 	  /* Push the first cipher from --ncp-ciphers to the client.
 	   * TODO: actual negotiation, instead of server dictatorship. */
-	  char *push_cipher = string_alloc(o->ncp_ciphers, gc);
+	  char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc);
 	  o->ciphername = strtok (push_cipher, ":");
 	  push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
 	}