From 83fdae3e9c482a3d3ceca484d96e1241359a0450 Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Wed, 19 Oct 2016 21:24:20 +0200
Subject: [PATCH] Fix use-after-free bug in prepare_push_reply()

This was introduced by commit dfd3513e, which changes the push_cipher
memory allocation from the options gc to a temporary gc.  For the
ciphername in the options structure, which has to be available longer,
change this back to using the options gc.

Apologies for not spotting this during patch review.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1476905060-29896-1-git-send-email-steffan@karger.me>
URL: http://www.mail-archive.com/search?l=mid&q=1476905060-29896-1-git-send-email-steffan@karger.me
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/push.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index ee2eda479..a3de2a2a7 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -366,7 +366,7 @@ prepare_push_reply (struct context *c, struct gc_arena *gc,
 	{
 	  /* Push the first cipher from --ncp-ciphers to the client.
 	   * TODO: actual negotiation, instead of server dictatorship. */
-	  char *push_cipher = string_alloc(o->ncp_ciphers, gc);
+	  char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc);
 	  o->ciphername = strtok (push_cipher, ":");
 	  push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
 	}
-- 
2.47.2