From patchwork Wed Mar 1 09:18:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kristof Provost X-Patchwork-Id: 3097 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp2541072dye; Wed, 1 Mar 2023 01:46:33 -0800 (PST) X-Google-Smtp-Source: AK7set/MRMV7PL4ZiJh8yQqoGSpj7EmpTD8TykHjzoXds5tjkNf3Iua2IhPuC+mbV/6PqSg/Ytyk X-Received: by 2002:a17:903:41d1:b0:19d:1bd6:4b84 with SMTP id u17-20020a17090341d100b0019d1bd64b84mr7749827ple.17.1677663993214; Wed, 01 Mar 2023 01:46:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1677663993; cv=none; d=google.com; s=arc-20160816; b=vdQWxkr3JD7VnbQ0eY8lV5ST40+a1R3FBJyWO5+uWFaAW3r+KsdTiGjBe83KLwbxhU oUnEtYRI1LQdZEL1JxHOZvywF6Y85AjIGWfdby6fYMi8kfHamamgbfSkffxhpp5mTeB7 ALd+TM+XkQAtJF71X8sW86Mjs8+VwIv2Zw/PGPA3euP0+PkJh+lGq0rVKeTbMro2wDAB EpvHYgdS5/+9w9+KIJBN17XcS4KR2hAu2zcXIU33tVOt75nx5snLzrMvg+Ptwwjhms9A xtIkuu18R1bBnkh4dreJNrQAG98jcXIRm9VQG3F4Hmq95QEmbNhlF+MGPqlGpQZjYtC1 UUNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:message-id:date:to:dkim-signature :dkim-signature:dkim-signature; bh=hfbIMFpdzDxsfbQo83gvVWoC6UY5w5vRlSoOHuSyW4M=; b=zSnl3ThzG0fyE17H8a1AGk3yywYIwSYUZEdCgPyRHOHOBNpveH+TV3QIPFYZqKiHsQ eA8NOab9AGxCDSkYgqYmfMWMOMpxi9IftxJOvuOzjP5SMQ1JOheJzJNSwzUt+HNnA0hb 7lcZdXdvODMLRnO4cdCLjvbdMgZjlOuQbPkJATlD+zoc3/10HJ642AeK/FH1CdQavJIj 9ItI0IXWcwySCe9KjJdvuhNhBoZ7ULrfaAXSQDFeBKw4VHr/pDeFYXr/J8GldbM/Q0Iz eZZpcD0mzI00G6SKzz3dLkDcypU5Ym7NAnnVx8RTj/zTxFzPltR+PyoF2sd5Xv3GOiPD 6TLQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=GfQcNg59; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=XUsbytW4; dkim=neutral (body hash did not verify) header.i=@netgate.com header.s=google header.b=KJ7Zy5ZZ; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id n15-20020a170902d2cf00b0019cc45a0958si13758936plc.149.2023.03.01.01.46.32 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Mar 2023 01:46:33 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=GfQcNg59; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=XUsbytW4; dkim=neutral (body hash did not verify) header.i=@netgate.com header.s=google header.b=KJ7Zy5ZZ; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pXJ1l-0008Jw-Dq; Wed, 01 Mar 2023 09:45:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pXJ1k-0008Jl-QN for openvpn-devel@lists.sourceforge.net; Wed, 01 Mar 2023 09:45:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=DGjFpWmqMX0Ai15tfXbaTUarlCgHnLh1uC0GXC34yr0=; b=GfQcNg59QfcirmhiKxKz1uaZ+Q AcscHc5FcU3Gmss8xQdGyAZXKq0iGBn3Rm+pKe/hLNy9QzeXqfIugXHsidLKQg1oLsAnIwuuYsmKh SY8Zddqy2OAXFQCdkJn9rqaINWTnO2nSIqRwZyPy+XQb6TLt33MOhMGKaXAhbsq6x4v4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=DGjFpWmqMX0Ai15tfXbaTUarlCgHnLh1uC0GXC34yr0=; b=X UsbytW4g06r3pUNgABZL24Ed9j2iKz/nLI1LPnCOktKDjeA5Gt+6hXMAHOaTVT0iAZc11c8IZgtu6 U6o5sx1huiNrxkz/LO56EN2pZtMdfFyyBG64HedsRUAOzMJc9ZPjovoLpdq6E0q/g9G1HR/l1O37g 4KcFBc59uzbBo2HE=; Received: from mail-ed1-f48.google.com ([209.85.208.48]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1pXJ1e-00ALI2-HT for openvpn-devel@lists.sourceforge.net; Wed, 01 Mar 2023 09:45:35 +0000 Received: by mail-ed1-f48.google.com with SMTP id u9so1864930edd.2 for ; Wed, 01 Mar 2023 01:45:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netgate.com; s=google; t=1677663923; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=DGjFpWmqMX0Ai15tfXbaTUarlCgHnLh1uC0GXC34yr0=; b=KJ7Zy5ZZ/xsbsDaIneM6nqYjQa5/zosmZ8rjHJpSIF7j9zZFpWlLX5Da7TEKj0YuNw xR5Xo3Endvp+y9D90QaNW30MuE9uEpA3xwymSZz8otsYx2glzPrsjN+5N6xyBXgjzA9g 2Os25KaPRbxJB+pNXQW4ZOJyjohYVkLBhNhdo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677663923; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DGjFpWmqMX0Ai15tfXbaTUarlCgHnLh1uC0GXC34yr0=; b=2lPZjgOLv6h5w9zfCpFkcR0SCTUQR1Sh+Gmy5QcDHVBEQ7JnmYSUmgsxeXbGwkKhHN dHCmFULBkShjuyDiRBjrtGjYdo1oGY/C9GyJbIq8ZfwkhpIW71qpjr5hktwo/y30CKIe 7pAB/VABl1LduM4OZeLkrbnmihPJHR6zO3mUgxtN5GjTA/PD/5UJEBzrIVvrf5MypyKk oL4hpMX0TPoUCPZeOY4vM/mi+9v94UOLeER/UBezR6wzCjsHSCIINBW58yZ7bd1Qhy18 YHRPQ6ErZJtQykXaBsEOgBvqdR0Y3ZnyF0RHyUYsc/xYEDHaL1euytC+0DAoUsSjpJtF 9WJg== X-Gm-Message-State: AO0yUKURkvn6AD2tWV77rxiIGyBXkMmKhPnS2ruxKpf6DIt9JSsp78xN ijlLQtM5nzx3ajltfJArfbICvZnZjvrv8eXfoko= X-Received: by 2002:adf:e490:0:b0:2c5:c71:4a84 with SMTP id i16-20020adfe490000000b002c50c714a84mr4301303wrm.68.1677662333190; Wed, 01 Mar 2023 01:18:53 -0800 (PST) Received: from nut.jupiter.sigsegv.be (ptr-8rfalzsse26o3oo9imw.18120a2.ip6.access.telenet.be. [2a02:1811:2402:bf00:f602:70ff:feae:6e98]) by smtp.googlemail.com with ESMTPSA id i13-20020adfe48d000000b002c5539171d1sm12239362wrm.41.2023.03.01.01.18.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Mar 2023 01:18:52 -0800 (PST) To: openvpn-devel Date: Wed, 1 Mar 2023 10:18:51 +0100 Message-Id: <20230301091851.82243-1-kprovost@netgate.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Kristof Provost Very low values for 'fragment' can result in a division by zero in optimal_fragment_size() (because it rounds max_frag_size down with FRAG_SIZE_ROUND_MASK). Enforce a minimal fragment size of 68 bytes, based on RFC 791 ("Every internet module must be able to forward a datagram of 68 octets without further fragmentation.") Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.48 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: netgate.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.48 listed in wl.mailspike.net] X-Headers-End: 1pXJ1e-00ALI2-HT Subject: [Openvpn-devel] [PATCH 2/2] options.c: enforce a minimal fragment size X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Kristof Provost via Openvpn-devel From: Kristof Provost Reply-To: Kristof Provost Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1759158199257587208?= X-GMAIL-MSGID: =?utf-8?q?1759158199257587208?= From: Kristof Provost Very low values for 'fragment' can result in a division by zero in optimal_fragment_size() (because it rounds max_frag_size down with FRAG_SIZE_ROUND_MASK). Enforce a minimal fragment size of 68 bytes, based on RFC 791 ("Every internet module must be able to forward a datagram of 68 octets without further fragmentation.") Signed-off-by: Kristof Provost Acked-by: Gert Doering --- src/openvpn/options.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 9105449c..9f79da09 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6549,6 +6549,12 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); options->ce.fragment = positive_atoi(p[1]); + if (options->ce.fragment < 68) + { + msg(msglevel, "fragment needs to be at least 68"); + goto err; + } + if (p[2] && streq(p[2], "mtu")) { options->ce.fragment_encap = true;