Possible Segmentation Fault issue in OpenVPN 2.3.x

[dogbert2]

Hello All,

In reviewing code in OpenVPN 2.3.6, I found in file 'buffer.c'

if DMALLOC is defined, at line 553, where ret = openvpn_dmalloc
(file, line, n) which is a call to malloc() in the memdbg.h file
where it appears to reference malloc(). In the case where NULL
is returned to variable 'ret', in this case, a call to memset()
with variable 'ret' equal to NULL, which will result in a
segmentation violation/fault.

The patch file below should address this issue:

--- buffer.c.orig 2015-07-31 23:03:56.265948284 -0400
+++ buffer.c 2015-07-31 23:05:21.439948284 -0400
@@ -554,6 +554,7 @@

*/

#ifdef DMALLOC

ret = openvpn_dmalloc (file, line, n);

+ check_malloc_return(ret);

memset(ret, 0, n);

#else

ret = calloc(1, n);

Comments, Questions, Suggestions, Complaints? :)

I am attaching the patch file to this bug report...

Bill Parker (wp02855 at gmail dot com)

[dogbert2]

Patch file for ticket 586

[Gert Döring]

It's a somewhat unlikely case and would need an actual DMALLOC build to be risky - but still, as long as we're not sure that dmalloc_malloc() (which openvpn_dmalloc() maps to) never returns NULL, needs fixing...

The problematic code was introduced in commit dc7be6d0, part of a series of ambitious but not well-understood-enough cleanup changes.

[Gert Döring]

either we rip out DMALLOC or we fix it :)

[Playgame123]

SPAM