Fix client crash on double PUSH_REPLY.

Introduce an extra bool variable c2.pulled_options_md5_init_done to
keep track of md5_init state of pulled_options_state - avoid accessing
uninitialized state when a second PUSH_REPLY comes in (which only happens
under very particular circumstances).

Bug tracked down by Arne Schwabe <arne@rfc2549.rrg>.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 20121225124856.GT22465@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7216
Signed-off-by: David Sommerseth <davids@redhat.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 05a38e0..be50bef 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -446,10 +446,14 @@ process_incoming_push_msg (struct context *c,
       if (ch == ',')
 	{
 	  struct buffer buf_orig = buf;
+	  if (!c->c2.pulled_options_md5_init_done)
+	    {
+	      md5_state_init (&c->c2.pulled_options_state);
+	      c->c2.pulled_options_md5_init_done = true;
+	    }
 	  if (!c->c2.did_pre_pull_restore)
 	    {
 	      pre_pull_restore (&c->options);
-	      md5_state_init (&c->c2.pulled_options_state);
 	      c->c2.did_pre_pull_restore = true;
 	    }
 	  if (apply_push_options (&c->options,
@@ -463,6 +467,7 @@ process_incoming_push_msg (struct context *c,
 	      case 1:
 		md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
 		md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
+	        c->c2.pulled_options_md5_init_done = false;
 		ret = PUSH_MSG_REPLY;
 		break;
 	      case 2: