summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLev Stipakov <lstipakov@gmail.com>2015-02-06 14:38:00 +0200
committerGert Doering <gert@greenie.muc.de>2015-02-06 20:13:04 +0100
commit2350d709e4d3c28d8850b5106169d799fdad5a29 (patch)
tree82abd2cbcf7d2fd1be9b26cada21e3256323cd39 /src
parentf95010ad247a8998e0c39e394236251fca316849 (diff)
downloadopenvpn-2350d709e4d3c28d8850b5106169d799fdad5a29.tar.gz
openvpn-2350d709e4d3c28d8850b5106169d799fdad5a29.tar.xz
openvpn-2350d709e4d3c28d8850b5106169d799fdad5a29.zip
Fix NULL dereferencing
In certain cases buf.len can be -1, which causes BPTR to return NULL and NULL pointer dereferencing on the next line. As a fix, process only packets with non-zero length. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1423226280-9580-1-git-send-email-lstipakov@gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/9444 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src')
-rw-r--r--src/openvpn/mudp.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index 3e3f750..57118f8 100644
--- a/src/openvpn/mudp.c
+++ b/src/openvpn/mudp.c
@@ -52,20 +52,19 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated)
struct multi_instance *mi = NULL;
struct hash *hash = m->hash;
- if (mroute_extract_openvpn_sockaddr (&real, &m->top.c2.from.dest, true))
+ if (mroute_extract_openvpn_sockaddr (&real, &m->top.c2.from.dest, true) &&
+ m->top.c2.buf.len > 0)
{
struct hash_element *he;
const uint32_t hv = hash_value (hash, &real);
struct hash_bucket *bucket = hash_bucket (hash, hv);
uint8_t* ptr = BPTR(&m->top.c2.buf);
uint8_t op = ptr[0] >> P_OPCODE_SHIFT;
- uint32_t peer_id;
- int i;
/* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */
if (op == P_DATA_V2 && m->top.c2.buf.len >= (1 + 3))
{
- peer_id = ntohl(*(uint32_t*)ptr) & 0xFFFFFF;
+ uint32_t peer_id = ntohl(*(uint32_t*)ptr) & 0xFFFFFF;
if ((peer_id < m->max_clients) && (m->instances[peer_id]))
{
mi = m->instances[peer_id];
@@ -99,6 +98,8 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated)
mi = multi_create_instance (m, &real);
if (mi)
{
+ int i;
+
hash_add_fast (hash, bucket, &mi->real, hv, mi);
mi->did_real_hash = true;
generated by cgit (git 2.34.1) at 2024-05-01 00:59:46 +0000