From: Steffan Karger <steffan@karger.me>
Date: Wed, 16 Aug 2017 17:04:50 +0000 (+0200)
Subject: tls-crypt: don't leak memory for incorrect tls-crypt messages
X-Git-Tag: v2.4.4~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=db52b6df6915d38a269bf68767faefd9cebf33bb;p=thirdparty%2Fopenvpn.git

tls-crypt: don't leak memory for incorrect tls-crypt messages

If tls_crypt_unwrap() failed, we would jump to cleanup and forget to free
the buffer.  Instead, allocate the buffer through gc, which is free'd in
the cleanup section.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170816170450.10415-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15282.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit fca89379c53fe2c145db96a5bcd32327c4bcfa78)
---

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index bbc117c6d..0739cf7c1 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1534,7 +1534,7 @@ read_control_auth(struct buffer *buf,
     }
     else if (ctx->mode == TLS_WRAP_CRYPT)
     {
-        struct buffer tmp = alloc_buf(buf_forward_capacity_total(buf));
+        struct buffer tmp = alloc_buf_gc(buf_forward_capacity_total(buf), &gc);
         if (!tls_crypt_unwrap(buf, &tmp, &ctx->opt))
         {
             msg(D_TLS_ERRORS, "TLS Error: tls-crypt unwrapping failed from %s",
@@ -1543,7 +1543,7 @@ read_control_auth(struct buffer *buf,
         }
         ASSERT(buf_init(buf, buf->offset));
         ASSERT(buf_copy(buf, &tmp));
-        free_buf(&tmp);
+        buf_clear(&tmp);
     }
 
     if (ctx->mode == TLS_WRAP_NONE || ctx->mode == TLS_WRAP_AUTH)