git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Antonio Quartulli <antonio@mandelbit.com>
	Mon, 22 Jun 2026 12:08:51 +0000 (14:08 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Mon, 22 Jun 2026 13:28:19 +0000 (15:28 +0200)
commit	97ec63372ab354ad48c89e73d1e37715679370ba
tree	7f62522ad96587874af84e18ba2cad7caa2681e5	tree \| snapshot
parent	4e4236ded8ce8e7e191a5091d55c286c0071f341	commit \| diff

options: fix use-after-free of DNS options on client connect

struct dns_options embeds its own gc_arena. When inherit_context_child()
/inherit_context_top() copy struct options by value, the child shares the
parent's DNS arena. options_detach() detached o->gc but not
o->dns_options.gc, so pre_connect_restore()'s gc_free() (and context
teardown) freed allocations the parent still referenced.

With one or more non-pushed --dhcp-option directives that yield a DNS
entry, a connecting client triggers this and the server crashes
(use-after-free in setenv_dns_options(), reported as a double free).

Detach o->dns_options.gc as well, mirroring the existing o->gc handling.

Change-Id: I49b37b5a90554fa2d4a83c8fc5608dad2a36b835
GitHub: closes openvpn/OpenVPN#1060
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1715
Message-Id: <20260622120856.21586-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg37230.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>