Do not check key_state buffers that are in S_UNDEF state

When a key_state is in S_UNDEF the send_reliable is not initialised. So checking it might access invalid memory or null pointers. Github: fixes #449 Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac [a@unstable.cc: add check for !send_reliable and message] Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20231115103331.18050-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27401.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit a903ebe)
OpenVPN · Nov 15, 2023 · b90ec6d · b90ec6d
1 parent 0c174e4
commit b90ec6d
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
@@ -3192,6 +3192,22 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
     for (int i = 0; i < KS_SIZE; i++)
     {
         struct key_state *ks = &session->key[i];
+        if (ks->state == S_UNDEF)
+        {
+            continue;
+        }
+
+        /* we don't expect send_reliable to be NULL when state is
+         * not S_UNDEF, but people have reported crashes nonetheless,
+         * therefore we better catch this event, report and exit.
+         */
+        if (!ks->send_reliable)
+        {
+            msg(M_FATAL, "ERROR: session->key[%d]->send_reliable is NULL "
+                "while key state is %s. Exiting.",
+                i, state_name(ks->state));
+        }
+
         for (int j = 0; j < ks->send_reliable->size; j++)
         {
             if (ks->send_reliable->array[i].buf.data == dataptr)