| Message ID | 20230301091851.82243-1-kprovost@netgate.com |
|---|---|
| State | Accepted |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp2541072dye;
Wed, 1 Mar 2023 01:46:33 -0800 (PST)
X-Google-Smtp-Source:
AK7set/MRMV7PL4ZiJh8yQqoGSpj7EmpTD8TykHjzoXds5tjkNf3Iua2IhPuC+mbV/6PqSg/Ytyk
X-Received: by 2002:a17:903:41d1:b0:19d:1bd6:4b84 with SMTP id
u17-20020a17090341d100b0019d1bd64b84mr7749827ple.17.1677663993214;
Wed, 01 Mar 2023 01:46:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1677663993; cv=none;
d=google.com; s=arc-20160816;
b=vdQWxkr3JD7VnbQ0eY8lV5ST40+a1R3FBJyWO5+uWFaAW3r+KsdTiGjBe83KLwbxhU
oUnEtYRI1LQdZEL1JxHOZvywF6Y85AjIGWfdby6fYMi8kfHamamgbfSkffxhpp5mTeB7
ALd+TM+XkQAtJF71X8sW86Mjs8+VwIv2Zw/PGPA3euP0+PkJh+lGq0rVKeTbMro2wDAB
EpvHYgdS5/+9w9+KIJBN17XcS4KR2hAu2zcXIU33tVOt75nx5snLzrMvg+Ptwwjhms9A
xtIkuu18R1bBnkh4dreJNrQAG98jcXIRm9VQG3F4Hmq95QEmbNhlF+MGPqlGpQZjYtC1
UUNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe
:list-help:list-post:list-archive:list-unsubscribe:list-id
:precedence:subject:mime-version:message-id:date:to:dkim-signature
:dkim-signature:dkim-signature;
bh=hfbIMFpdzDxsfbQo83gvVWoC6UY5w5vRlSoOHuSyW4M=;
b=zSnl3ThzG0fyE17H8a1AGk3yywYIwSYUZEdCgPyRHOHOBNpveH+TV3QIPFYZqKiHsQ
eA8NOab9AGxCDSkYgqYmfMWMOMpxi9IftxJOvuOzjP5SMQ1JOheJzJNSwzUt+HNnA0hb
7lcZdXdvODMLRnO4cdCLjvbdMgZjlOuQbPkJATlD+zoc3/10HJ642AeK/FH1CdQavJIj
9ItI0IXWcwySCe9KjJdvuhNhBoZ7ULrfaAXSQDFeBKw4VHr/pDeFYXr/J8GldbM/Q0Iz
eZZpcD0mzI00G6SKzz3dLkDcypU5Ym7NAnnVx8RTj/zTxFzPltR+PyoF2sd5Xv3GOiPD
6TLQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=GfQcNg59;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=XUsbytW4;
dkim=neutral (body hash did not verify) header.i=@netgate.com
header.s=google header.b=KJ7Zy5ZZ;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
n15-20020a170902d2cf00b0019cc45a0958si13758936plc.149.2023.03.01.01.46.32
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Wed, 01 Mar 2023 01:46:33 -0800 (PST)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=GfQcNg59;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=XUsbytW4;
dkim=neutral (body hash did not verify) header.i=@netgate.com
header.s=google header.b=KJ7Zy5ZZ;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1pXJ1l-0008Jw-Dq;
Wed, 01 Mar 2023 09:45:36 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <kprovost@netgate.com>) id 1pXJ1k-0008Jl-QN
for openvpn-devel@lists.sourceforge.net;
Wed, 01 Mar 2023 09:45:36 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id:
Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=DGjFpWmqMX0Ai15tfXbaTUarlCgHnLh1uC0GXC34yr0=; b=GfQcNg59QfcirmhiKxKz1uaZ+Q
AcscHc5FcU3Gmss8xQdGyAZXKq0iGBn3Rm+pKe/hLNy9QzeXqfIugXHsidLKQg1oLsAnIwuuYsmKh
SY8Zddqy2OAXFQCdkJn9rqaINWTnO2nSIqRwZyPy+XQb6TLt33MOhMGKaXAhbsq6x4v4=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From:
Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date:
Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
List-Owner:List-Archive; bh=DGjFpWmqMX0Ai15tfXbaTUarlCgHnLh1uC0GXC34yr0=; b=X
UsbytW4g06r3pUNgABZL24Ed9j2iKz/nLI1LPnCOktKDjeA5Gt+6hXMAHOaTVT0iAZc11c8IZgtu6
U6o5sx1huiNrxkz/LO56EN2pZtMdfFyyBG64HedsRUAOzMJc9ZPjovoLpdq6E0q/g9G1HR/l1O37g
4KcFBc59uzbBo2HE=;
Received: from mail-ed1-f48.google.com ([209.85.208.48])
by sfi-mx-1.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
id 1pXJ1e-00ALI2-HT for openvpn-devel@lists.sourceforge.net;
Wed, 01 Mar 2023 09:45:35 +0000
Received: by mail-ed1-f48.google.com with SMTP id u9so1864930edd.2
for <openvpn-devel@lists.sourceforge.net>;
Wed, 01 Mar 2023 01:45:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=netgate.com; s=google; t=1677663923;
h=content-transfer-encoding:mime-version:message-id:date:subject:to
:from:from:to:cc:subject:date:message-id:reply-to;
bh=DGjFpWmqMX0Ai15tfXbaTUarlCgHnLh1uC0GXC34yr0=;
b=KJ7Zy5ZZ/xsbsDaIneM6nqYjQa5/zosmZ8rjHJpSIF7j9zZFpWlLX5Da7TEKj0YuNw
xR5Xo3Endvp+y9D90QaNW30MuE9uEpA3xwymSZz8otsYx2glzPrsjN+5N6xyBXgjzA9g
2Os25KaPRbxJB+pNXQW4ZOJyjohYVkLBhNhdo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112; t=1677663923;
h=content-transfer-encoding:mime-version:message-id:date:subject:to
:from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=DGjFpWmqMX0Ai15tfXbaTUarlCgHnLh1uC0GXC34yr0=;
b=2lPZjgOLv6h5w9zfCpFkcR0SCTUQR1Sh+Gmy5QcDHVBEQ7JnmYSUmgsxeXbGwkKhHN
dHCmFULBkShjuyDiRBjrtGjYdo1oGY/C9GyJbIq8ZfwkhpIW71qpjr5hktwo/y30CKIe
7pAB/VABl1LduM4OZeLkrbnmihPJHR6zO3mUgxtN5GjTA/PD/5UJEBzrIVvrf5MypyKk
oL4hpMX0TPoUCPZeOY4vM/mi+9v94UOLeER/UBezR6wzCjsHSCIINBW58yZ7bd1Qhy18
YHRPQ6ErZJtQykXaBsEOgBvqdR0Y3ZnyF0RHyUYsc/xYEDHaL1euytC+0DAoUsSjpJtF
9WJg==
X-Gm-Message-State: AO0yUKURkvn6AD2tWV77rxiIGyBXkMmKhPnS2ruxKpf6DIt9JSsp78xN
ijlLQtM5nzx3ajltfJArfbICvZnZjvrv8eXfoko=
X-Received: by 2002:adf:e490:0:b0:2c5:c71:4a84 with SMTP id
i16-20020adfe490000000b002c50c714a84mr4301303wrm.68.1677662333190;
Wed, 01 Mar 2023 01:18:53 -0800 (PST)
Received: from nut.jupiter.sigsegv.be
(ptr-8rfalzsse26o3oo9imw.18120a2.ip6.access.telenet.be.
[2a02:1811:2402:bf00:f602:70ff:feae:6e98])
by smtp.googlemail.com with ESMTPSA id
i13-20020adfe48d000000b002c5539171d1sm12239362wrm.41.2023.03.01.01.18.52
for <openvpn-devel@lists.sourceforge.net>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 01 Mar 2023 01:18:52 -0800 (PST)
To: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Date: Wed, 1 Mar 2023 10:18:51 +0100
Message-Id: <20230301091851.82243-1-kprovost@netgate.com>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
running on the system "util-spamd-1.v13.lw.sourceforge.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: From: Kristof Provost <kp@FreeBSD.org> Very low values for
'fragment' can result in a division by zero in optimal_fragment_size()
(because
it rounds max_frag_size down with FRAG_SIZE_ROUND_MASK). Enforce a minimal
fragment size of 68 bytes, based on RFC 791 ("Every internet module must
be able to forward a datagram of 68 octets without further fragmentation.")
Content analysis details: (-0.2 points, 6.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
no trust [209.85.208.48 listed in list.dnswl.org]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information. [URIs: netgate.com]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily
valid -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[209.85.208.48 listed in wl.mailspike.net]
X-Headers-End: 1pXJ1e-00ALI2-HT
Subject: [Openvpn-devel] [PATCH 2/2] options.c: enforce a minimal fragment
size
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
From: Kristof Provost via Openvpn-devel <openvpn-devel@lists.sourceforge.net>
Reply-To: Kristof Provost <kprovost@netgate.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1759158199257587208?=
X-GMAIL-MSGID: =?utf-8?q?1759158199257587208?=
|
| Series |
[Openvpn-devel,1/2] configure: improve FreeBSD DCO check
|
|
Commit Message
Kristof Provost
March 1, 2023, 9:18 a.m. UTC
From: Kristof Provost <kp@FreeBSD.org> Very low values for 'fragment' can result in a division by zero in optimal_fragment_size() (because it rounds max_frag_size down with FRAG_SIZE_ROUND_MASK). Enforce a minimal fragment size of 68 bytes, based on RFC 791 ("Every internet module must be able to forward a datagram of 68 octets without further fragmentation.") Signed-off-by: Kristof Provost <kprovost@netgate.com> --- src/openvpn/options.c | 6 ++++++ 1 file changed, 6 insertions(+)
Comments
Acked-by: Gert Doering <gert@greenie.muc.de> Straightforward :-) - and we really shouldn't divide by zero.. I have adjusted the message to read "--fragment ..." (with dashes), because that's what we seem to do in other option-related error messages. Your patch has been applied to the master and release/2.6 branch. commit 78e504210add19343e65f5c5b80be9ea6e9e95ab (master) commit b9a9de156bc3ad517bfc6d1042ad0ef0350b638e (release/2.6) Author: Kristof Provost Date: Wed Mar 1 10:18:51 2023 +0100 options.c: enforce a minimal fragment size Signed-off-by: Kristof Provost <kprovost@netgate.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20230301091851.82243-1-kprovost@netgate.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26313.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 9105449c..9f79da09 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6549,6 +6549,12 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); options->ce.fragment = positive_atoi(p[1]); + if (options->ce.fragment < 68) + { + msg(msglevel, "fragment needs to be at least 68"); + goto err; + } + if (p[2] && streq(p[2], "mtu")) { options->ce.fragment_encap = true;