From: Mikhail Khachaiants <mkhachaiants@gmail.com>
Date: Sat, 18 Oct 2025 08:42:31 +0000 (+0300)
Subject: socket: reject mismatched address family in get_addr_generic
X-Git-Tag: v2.7_rc2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f1b851dae60eb1e277315dfe6265e3a58660b16a;p=thirdparty%2Fopenvpn.git

socket: reject mismatched address family in get_addr_generic

Add a family check to prevent copying address data of the wrong type,
which could cause buffer over-read when parsing routes or endpoints.

CVE: 2025-12106

Github: OpenVPN/openvpn-private-issues#77

Signed-off-by: Mikhail Khachaiants <mkhachaiants@gmail.com>
Acked-By: Gert Doering <gert@greenie.muc.de>
Signed-Off-By: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index f7317d132..8b6e35e4c 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -147,6 +147,13 @@ get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname, void
         struct in6_addr *ip6;
         in_addr_t *ip4;
 
+        if (af != ai->ai_family)
+        {
+            msg(msglevel, "Can't parse %s as IPv%d address", var_host, (af == AF_INET) ? 4 : 6);
+            ret = -1;
+            goto out;
+        }
+
         switch (af)
         {
             case AF_INET: