diff mbox series

[Openvpn-devel,v1] dco-win: Fix crash when cancelling pending operation

Message ID 20250401181535.7854-1-gert@greenie.muc.de
State Accepted
Headers show
Series [Openvpn-devel,v1] dco-win: Fix crash when cancelling pending operation | expand

Commit Message

Gert Doering April 1, 2025, 6:15 p.m. UTC 
From: Lev Stipakov <lev@openvpn.net>

The OVERLAPPED structure must remain valid for the entire duration of an
asynchronous operation. Previously, when a TCP connection was pending
inside the NEW_PEER call, the OVERLAPPED structure was defined as a
local variable within dco_p2p_new_peer().

When CancelIo() was called later from close_tun_handle(), the OVERLAPPED
structure was already out of scope, resulting in undefined behavior and
stack corruption.

This fix moves the OVERLAPPED structure to the tuntap struct, ensuring
it remains valid throughout the operation's lifetime.

GitHub: #715

Change-Id: Ib1db457c42a80f6b8fc0e3ceb4a895d4cf7f0155
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/928
This mail reflects revision 1 of this Change.

Acked-by according to Gerrit (reflected above):
Gert Doering <gert@greenie.muc.de>

Comments

Gert Doering April 1, 2025, 8:52 p.m. UTC | #1 
I haven't tested it, just stared at the code, and test compiled with
mingw.  The change itself is straightforward - move the OVERLAPPED
structure inside struct tuntap, so it will share the same lifetime
(diagnosing this from a crash trying to close tt->hand is more 
impressive ;-) )

Reference URLs point to the sf.net list archive again, because
mail-archive.org is refusing to acknowledge existence of this mail...

Your patch has been applied to the master branch.

commit f60a49362515a87ccf8db406ef422499adf34eb7
Author: Lev Stipakov
Date:   Tue Apr 1 20:15:30 2025 +0200

     dco-win: Fix crash when cancelling pending operation

     Signed-off-by: Lev Stipakov <lev@openvpn.net>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20250401181535.7854-1-gert@greenie.muc.de>
     URL: https://sourceforge.net/p/openvpn/mailman/message/59168247/
     URL: https://gerrit.openvpn.net/c/openvpn/+/928
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c
index 8b47124..a386e53 100644
--- a/src/openvpn/dco_win.c
+++ b/src/openvpn/dco_win.c
@@ -321,7 +321,7 @@ 
 }
 
 void
-dco_p2p_new_peer(HANDLE handle, struct link_socket *sock, struct signal_info *sig_info)
+dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock, struct signal_info *sig_info)
 {
     msg(D_DCO_DEBUG, "%s", __func__);
 
@@ -395,8 +395,8 @@ 
         ASSERT(0);
     }
 
-    OVERLAPPED ov = { 0 };
-    if (!DeviceIoControl(handle, OVPN_IOCTL_NEW_PEER, &peer, sizeof(peer), NULL, 0, NULL, &ov))
+    CLEAR(*ov);
+    if (!DeviceIoControl(handle, OVPN_IOCTL_NEW_PEER, &peer, sizeof(peer), NULL, 0, NULL, ov))
     {
         DWORD err = GetLastError();
         if (err != ERROR_IO_PENDING)
@@ -405,7 +405,7 @@ 
         }
         else
         {
-            dco_connect_wait(handle, &ov, get_server_poll_remaining_time(sock->server_poll_timeout), sig_info);
+            dco_connect_wait(handle, ov, get_server_poll_remaining_time(sock->server_poll_timeout), sig_info);
         }
     }
 }
diff --git a/src/openvpn/dco_win.h b/src/openvpn/dco_win.h
index 95c95c8..e8e4e22 100644
--- a/src/openvpn/dco_win.h
+++ b/src/openvpn/dco_win.h
@@ -63,7 +63,7 @@ 
 dco_mp_start_vpn(HANDLE handle, struct link_socket *sock);
 
 void
-dco_p2p_new_peer(HANDLE handle, struct link_socket *sock, struct signal_info *sig_info);
+dco_p2p_new_peer(HANDLE handle, OVERLAPPED *ov, struct link_socket *sock, struct signal_info *sig_info);
 
 void
 dco_start_tun(struct tuntap *tt);
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 09de1b0..beb31fa 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -2242,7 +2242,7 @@ 
     }
     else
     {
-        dco_p2p_new_peer(c->c1.tuntap->hand, sock, sig_info);
+        dco_p2p_new_peer(c->c1.tuntap->hand, &c->c1.tuntap->dco_new_peer_ov, sock, sig_info);
     }
     sock->sockflags |= SF_DCO_WIN;
 
diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h
index b616f5d..bcc23b4 100644
--- a/src/openvpn/tun.h
+++ b/src/openvpn/tun.h
@@ -215,6 +215,7 @@ 
 
 #ifdef _WIN32
     HANDLE hand;
+    OVERLAPPED dco_new_peer_ov; /* used for async NEW_PEER dco call, which might wait for TCP connect */
     struct overlapped_io reads;
     struct overlapped_io writes;
     struct rw_handle rw_handle;