From 6034670715965dfe5d0678b3f497d1bf8a884dbb Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Sun, 29 Sep 2019 13:36:44 -0700 Subject: [PATCH] Fix double-free when client repeatedly fails to pull GlobalProtect client config When openconnect attempts to rebuild the GP connection, upon rekey or loss-of-connectivity, it re-requests the client configuration XML (/ssl-vpn/getconfig.esp). It saves the old `cstp_options` prior to querying the new ones, and then free()'s them after verifying that the IP addresses and netmasks haven't changed. If the config request fails to return valid XML twice in a row, the old `cstp_options` would be double-freed, causing the crash described in https://gitlab.com/openconnect/openconnect/issues/78. The fix is to ensure that the old `cstp_options` are set to NULL as soon as they're copied into `old_cstp_options`. Signed-off-by: Daniel Lenski --- gpst.c | 1 + 1 file changed, 1 insertion(+) diff --git a/gpst.c b/gpst.c index 79a2170c..3d55dd20 100644 --- a/gpst.c +++ b/gpst.c @@ -618,6 +618,7 @@ static int gpst_get_config(struct openconnect_info *vpninfo) const char *request_body_type = "application/x-www-form-urlencoded"; const char *method = "POST"; char *xml_buf=NULL; + vpninfo->cstp_options = NULL; /* submit getconfig request */ buf_append(request_body, "client-type=1&protocol-version=p1&app-version=4.0.5-8"); -- 2.49.0