From cdfdfb3da0ce714f43b23f679a8ef9b36ab9f370 Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Thu, 15 Dec 2022 20:01:37 +0100 Subject: [PATCH] ssl_verify: Fix memleak if creating deferred auth control files fails If the key_state_gen_auth_control_files() call fails, the code would just return without freeing the argv container. Instead the code should jump to an appropriate exit point where memory is being released. Also adjust the related comment, to indicate that these deferred auth control files are really pre-created. Signed-off-by: David Sommerseth Reported-by: Trail of Bits (TOB-OVPN-2) Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20221215190143.2107896-3-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25737.html Signed-off-by: Gert Doering (cherry picked from commit 0567da5377704cf64bd2599f2d49aa478d386941) --- src/openvpn/ssl_verify.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 76cb9f19b..228cf16e1 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1358,12 +1358,13 @@ verify_user_pass_script(struct tls_session *session, struct tls_multi *multi, setenv_str(session->opt->es, "password", up->password); } - /* generate filename for deferred auth control file */ + /* pre-create files for deferred auth control */ if (!key_state_gen_auth_control_files(&ks->script_auth, session->opt)) { msg(D_TLS_ERRORS, "TLS Auth Error (%s): " "could not create deferred auth control file", __func__); - return OPENVPN_PLUGIN_FUNC_ERROR; + retval = OPENVPN_PLUGIN_FUNC_ERROR; + goto error; } /* call command */ @@ -1412,6 +1413,7 @@ done: platform_unlink(tmp_file); } +error: argv_free(&argv); gc_free(&gc); return retval; -- 2.47.2