Fix client crash on double PUSH_REPLY.

Introduce an extra bool variable c2.pulled_options_md5_init_done to
keep track of md5_init state of pulled_options_state - avoid accessing
uninitialized state when a second PUSH_REPLY comes in (which only happens
under very particular circumstances).

Bug tracked down by Arne Schwabe <arne@rfc2549.rrg>.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 20121225124856.GT22465@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7216
Signed-off-by: David Sommerseth <davids@redhat.com>

diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h
index 7abfb08717bcf95591c4e5a064d4412b26a7dd8a..bdfa6852aa2e8a8e831353d42412a04db14f965c 100644 (file)
--- a/src/openvpn/openvpn.h
+++ b/src/openvpn/openvpn.h
@@ -474,6 +474,7 @@ struct context_2
   bool did_pre_pull_restore;
 
   /* hash of pulled options, so we can compare when options change */
+  bool pulled_options_md5_init_done;
   struct md5_state pulled_options_state;
   struct md5_digest pulled_options_digest;
 

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 05a38e0de64592f6b682895fa369120dd85a52eb..be50befd2643445a230818fc90698e274f9793cb 100644 (file)
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -446,10 +446,14 @@ process_incoming_push_msg (struct context *c,
       if (ch == ',')
        {
          struct buffer buf_orig = buf;
+         if (!c->c2.pulled_options_md5_init_done)
+           {
+             md5_state_init (&c->c2.pulled_options_state);
+             c->c2.pulled_options_md5_init_done = true;
+           }
          if (!c->c2.did_pre_pull_restore)
            {
              pre_pull_restore (&c->options);
-             md5_state_init (&c->c2.pulled_options_state);
              c->c2.did_pre_pull_restore = true;
            }
          if (apply_push_options (&c->options,
@@ -463,6 +467,7 @@ process_incoming_push_msg (struct context *c,
              case 1:
                md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
                md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
+               c->c2.pulled_options_md5_init_done = false;
                ret = PUSH_MSG_REPLY;
                break;
              case 2: