socket: reject mismatched address family in get_addr_generic

Add a family check to prevent copying address data of the wrong type,
which could cause buffer over-read when parsing routes or endpoints.

CVE: 2025-12106

Github: OpenVPN/openvpn-private-issues#77

Signed-off-by: Mikhail Khachaiants <mkhachaiants@gmail.com>
Acked-By: Gert Doering <gert@greenie.muc.de>
Signed-Off-By: Gert Doering <gert@greenie.muc.de>

Author: tyler92

src/openvpn/socket.c

@@ -147,6 +147,13 @@ get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname, void
         struct in6_addr *ip6;
         in_addr_t *ip4;
 
+        if (af != ai->ai_family)
+        {
+            msg(msglevel, "Can't parse %s as IPv%d address", var_host, (af == AF_INET) ? 4 : 6);
+            ret = -1;
+            goto out;
+        }
+
         switch (af)
         {
             case AF_INET: