Fix double-free when client repeatedly fails to pull GlobalProtect client config

When openconnect attempts to rebuild the GP connection, upon rekey or
loss-of-connectivity, it re-requests the client configuration XML
(/ssl-vpn/getconfig.esp).  It saves the old `cstp_options` prior to querying
the new ones, and then free()'s them after verifying that the IP addresses
and netmasks haven't changed.

If the config request fails to return valid XML twice in a row, the old
`cstp_options` would be double-freed, causing the crash described in
https://gitlab.com/openconnect/openconnect/issues/78.

The fix is to ensure that the old `cstp_options` are set to NULL as soon as
they're copied into `old_cstp_options`.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/gpst.c b/gpst.c
index 79a2170c583d7488df400d77105bfea9b18bf42f..3d55dd2022543062bcb602926a8b14ba4ec54332 100644 (file)
--- a/gpst.c
+++ b/gpst.c
@@ -618,6 +618,7 @@ static int gpst_get_config(struct openconnect_info *vpninfo)
        const char *request_body_type = "application/x-www-form-urlencoded";
        const char *method = "POST";
        char *xml_buf=NULL;
+       vpninfo->cstp_options = NULL;
 
        /* submit getconfig request */
        buf_append(request_body, "client-type=1&protocol-version=p1&app-version=4.0.5-8");