git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Gert Doering <gert@greenie.muc.de>
	Sat, 14 Apr 2018 07:26:17 +0000 (09:26 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Thu, 19 Apr 2018 15:10:42 +0000 (17:10 +0200)
commit	da242af8d3750a231bfd687d0a92cf2004dae988
tree	827b42ee586bfc122c4ddeef25715bafee781ab6	tree
parent	5213573f7d6ba41639edc362801efe076906a7e4	commit \| diff

Fix potential double-free() in Interactive Service (CVE-2018-9336)

Malformed input data on the service pipe towards the OpenVPN interactive
service (normally used by the OpenVPN GUI to request openvpn instances
from the service) can result in a double free() in the error handling code.

This usually only leads to a process crash (DoS by an unprivileged local
account) but since it could possibly lead to memory corruption if
happening while multiple other threads are active at the same time,
CVE-2018-9336 has been assigned to acknowledge this risk.

Fix by ensuring that sud->directory is set to NULL in GetStartUpData()
for all error cases (thus not being free()ed in FreeStartupData()).

Rewrite control flow to use explicit error label for error exit.

Discovered and reported by Jacob Baines <jbaines@tenable.com>.

CVE: 2018-9336

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20180414072617.25075-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20180414072617.25075-1-gert@greenie.muc.de

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1394192b210cb3c6624a7419bcf3ff966742e79b)