From patchwork Wed Jan 29 11:16:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4101 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6a49:b0:5e7:b9eb:58e8 with SMTP id v9csp969366mat; Wed, 29 Jan 2025 03:16:26 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWYlI3ph7ATOSu34sgqjiCFOFmshrRy4f/eieTJbWcG9ok185mH6gmhd6uruL40NdSPNopDfntE2rY=@openvpn.net X-Google-Smtp-Source: AGHT+IHNbjvuyyNezSyivBsZdOMFdktWded4MkR1RKUZuA1VBzkIkI4GYxsxIR/oHdOvBXu8fHod X-Received: by 2002:a05:6808:1404:b0:3eb:62d4:7092 with SMTP id 5614622812f47-3f323af4f51mr1217792b6e.27.1738149386538; Wed, 29 Jan 2025 03:16:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1738149386; cv=none; d=google.com; s=arc-20240605; b=a/WpglL0sk3wDih+J8hFyLOLO94n7Q3X3PtIYLsgONceqIROP5qB5bKc2f6QF6iVsr nbd495Fx3SrJfZ1NSsGLgdcEU1ZTjjH1CfATcfvubSJ+xLyjwj62en8jsj5Jz07/Q6UX ojkrpqobLt/w6ZbZoe49sKAPsBnPTB4CkXhBXJoNThM+iidzPPCVhGRT7ZdeLYueB/AR XVjWUZvdkojIq459G/V3RXgbDy2e/rKlCdEWrbOUL39zpYW6RR3+gC0a81XQMQJsmL+g Ji9e16PW9G/zLRNBgm4/doHZztN0Aaod/dL8q8bcieEvjaF0elZ5u8JOQkWB/CfMOfos yYrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=/fdcoGkUm6RG0+utZBkfLIfDwxIllEgtQx0TaWz9Vf0=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=eGCms1sR/5WMenc1uXYNG63gIahu/pT0b9ji2XIL+NQeu1wX8i4IRL566zGUGl/xJh B5fNpz71yLmxjkvv4a6ATpCk8zBO2KQH9PzP8z+kBMgvGfiFsLmmP5D6eRx8w2Z+D5DM pgyU2CMsOPXIXteVTLL2EyRE0oUHR3MZ2zwHPoQby7egSWJcUFbHV0MIDCIzzmAIZyXy rSLOcmKK6DjFXNPIOP5pk9+D2jn+EG/ieXN5naDg0lI6ePq9t4RQY5+gqVX842pPiFOo hoAkXiMMicXVOyMfO8uCx4JelcY4ajbIVW0wVTtjeimAUi/9g0qxgk55W7f7Gba7dgEx 2nDg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=HMeN3smP; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=fgaEB9gm; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-3f1f09fddefsi8540700b6e.265.2025.01.29.03.16.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Jan 2025 03:16:26 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=HMeN3smP; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=fgaEB9gm; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1td63S-0001Di-Ti; Wed, 29 Jan 2025 11:16:22 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1td63Q-0001DO-1B for openvpn-devel@lists.sourceforge.net; Wed, 29 Jan 2025 11:16:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=iKrKAu2Lzv4GrdC2+9su1UNq55sl9kQBS4LJ8nebhXY=; b=HMeN3smPgQhV5+1C0qwfMrmYZj 8rZ/mq9zGFjJukK6GVGcq1LOdHjsB8IYlZ3z94Ig0up47u+ukWCovOhuZCRRCr5URDENlL17VwN5E ys7q3fCddtSyZJ0/1CcVjixrhb28BeoXO2OHGC/grvM0EU5xKw1YaQFl6yb11QfkOsTE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=iKrKAu2Lzv4GrdC2+9su1UNq55sl9kQBS4LJ8nebhXY=; b=fgaEB9gmuyWghTxRTj5jZwPRux 8yLbEhPcC6VE0Ak/C5xIMvsmUO269J987P8+hZmhJsqKIIMJpsHwM2yj5RkhmnXicpSVSKmh2tG/t SH0MyW/W2aEzGfDvSzUAVj2bq76wvA9OZ+9Cqtm+prlQ/JJM6vsiKri+k5rtramZiMAE=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1td63K-000415-PN for openvpn-devel@lists.sourceforge.net; Wed, 29 Jan 2025 11:16:16 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 50TBG6Fr009612 for ; Wed, 29 Jan 2025 12:16:06 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 50TBG6J0009611 for openvpn-devel@lists.sourceforge.net; Wed, 29 Jan 2025 12:16:06 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 29 Jan 2025 12:16:05 +0100 Message-ID: <20250129111605.9538-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Gianmarco De Gregori Fix issue reported by Coverity: CID 1641564: Uninitialized variables (UNINIT) Using unitialized value "maddr.proto" when calling "mroute_addr_equal()". Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-accredit.habeas.com] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1td63K-000415-PN Subject: [Openvpn-devel] [PATCH v4] mroute/management: fix uninitialized variable (UNINIT) X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1822581730980333763?= X-GMAIL-MSGID: =?utf-8?q?1822581730980333763?= From: Gianmarco De Gregori Fix issue reported by Coverity: CID 1641564: Uninitialized variables (UNINIT) Using unitialized value "maddr.proto" when calling "mroute_addr_equal()". Fix this by passing the proto along with IP:port. While at it, changed the mroute_addr_print_ex() format to display the protocol only in case of MR_WITH_PROTO avoid doing it on virtual addresses when MR_WITH_PORT is not specified. Change-Id: I4be0ff4d308213d2ef8ba66bd3178eee1f60fff1 Signed-off-by: Gianmarco De Gregori Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/880 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/Changes.rst b/Changes.rst index 16ae6fc..d01816b 100644 --- a/Changes.rst +++ b/Changes.rst @@ -317,6 +317,9 @@ settings will contradict the setting of allow-compression as this almost always results in a non-working connection. +- The "kill" by addr management command now requires also the protocol + as string e.g. "udp", "tcp". + Common errors with OpenSSL 3.0 and OpenVPN 2.6 ---------------------------------------------- Both OpenVPN 2.6 and OpenSSL 3.0 tighten the security considerable, so some diff --git a/doc/management-notes.txt b/doc/management-notes.txt index b55135a..f1d2930 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -205,8 +205,12 @@ kill Test-Client -- kill the client instance having a common name of "Test-Client". - kill 1.2.3.4:4000 -- kill the client instance having a - source address and port of 1.2.3.4:4000 + kill tcp:1.2.3.4:4000 -- kill the client instance having a + source address, port and proto of + tcp:1.2.3.4:4000 + + Note that kill by address won't work for IPv6-connected + clients yet, so rely on kill by CN or CID instead. Use the "status" command to see which clients are connected. diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 0c77f85..a796dbe 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -544,45 +544,52 @@ struct buffer buf; char p1[128]; char p2[128]; + char p3[128]; int n_killed; buf_set_read(&buf, (uint8_t *) victim, strlen(victim) + 1); buf_parse(&buf, ':', p1, sizeof(p1)); buf_parse(&buf, ':', p2, sizeof(p2)); + buf_parse(&buf, ':', p3, sizeof(p3)); - if (strlen(p1) && strlen(p2)) + if (strlen(p1) && strlen(p2) && strlen(p3)) { /* IP:port specified */ bool status; - const in_addr_t addr = getaddr(GETADDR_HOST_ORDER|GETADDR_MSG_VIRT_OUT, p1, 0, &status, NULL); + const in_addr_t addr = getaddr(GETADDR_HOST_ORDER|GETADDR_MSG_VIRT_OUT, p2, 0, &status, NULL); if (status) { - const int port = atoi(p2); - if (port > 0 && port < 65536) + const int port = atoi(p3); + const int proto = (streq(p1, "tcp")) ? PROTO_TCP_SERVER : + (streq(p1, "udp")) ? PROTO_UDP : PROTO_NONE; + + if ((port > 0 && port < 65536) && (proto != PROTO_NONE)) { - n_killed = (*man->persist.callback.kill_by_addr)(man->persist.callback.arg, addr, port); + n_killed = (*man->persist.callback.kill_by_addr)(man->persist.callback.arg, addr, port, proto); if (n_killed > 0) { - msg(M_CLIENT, "SUCCESS: %d client(s) at address %s:%d killed", + msg(M_CLIENT, "SUCCESS: %d client(s) at address %s:%s:%d killed", n_killed, + proto2ascii(proto, AF_INET, true), print_in_addr_t(addr, 0, &gc), port); } else { - msg(M_CLIENT, "ERROR: client at address %s:%d not found", + msg(M_CLIENT, "ERROR: client at address %s:%s:%d not found", + proto2ascii(proto, AF_INET, true), print_in_addr_t(addr, 0, &gc), port); } } else { - msg(M_CLIENT, "ERROR: port number is out of range: %s", p2); + msg(M_CLIENT, "ERROR: port number or protocol out of range: %s %s", p3, p1); } } else { - msg(M_CLIENT, "ERROR: error parsing IP address: %s", p1); + msg(M_CLIENT, "ERROR: error parsing IP address: %s", p2); } } else if (strlen(p1)) diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index f501543..02ceb82 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -180,7 +180,7 @@ void (*status) (void *arg, const int version, struct status_output *so); void (*show_net) (void *arg, const int msglevel); int (*kill_by_cn) (void *arg, const char *common_name); - int (*kill_by_addr) (void *arg, const in_addr_t addr, const int port); + int (*kill_by_addr) (void *arg, const in_addr_t addr, const int port, const int proto); void (*delete_event) (void *arg, event_t event); int (*n_clients) (void *arg); bool (*send_cc_message) (void *arg, const char *message, const char *parameter); diff --git a/src/openvpn/mroute.c b/src/openvpn/mroute.c index 74923cf..24b9543 100644 --- a/src/openvpn/mroute.c +++ b/src/openvpn/mroute.c @@ -276,6 +276,10 @@ addr->len = 6; addr->v4.addr = osaddr->addr.in4.sin_addr.s_addr; addr->v4.port = osaddr->addr.in4.sin_port; + if (addr->proto != PROTO_NONE) + { + addr->type |= MR_WITH_PROTO; + } } else { @@ -295,6 +299,10 @@ addr->len = 18; addr->v6.addr = osaddr->addr.in6.sin6_addr; addr->v6.port = osaddr->addr.in6.sin6_port; + if (addr->proto != PROTO_NONE) + { + addr->type |= MR_WITH_PROTO; + } } else { @@ -403,6 +411,10 @@ { buf_printf(&out, "ARP/"); } + if (maddr.type & MR_WITH_PROTO) + { + buf_printf(&out, "%s:", proto2ascii(maddr.proto, AF_INET, false)); + } buf_printf(&out, "%s", print_in_addr_t(ntohl(maddr.v4.addr), (flags & MAPF_IA_EMPTY_IF_UNDEF) ? IA_EMPTY_IF_UNDEF : 0, gc)); if (maddr.type & MR_WITH_NETBITS) @@ -426,6 +438,10 @@ case MR_ADDR_IPV6: { + if (maddr.type & MR_WITH_PROTO) + { + buf_printf(&out, "%s:", proto2ascii(maddr.proto, AF_INET6, false)); + } if (IN6_IS_ADDR_V4MAPPED( &maddr.v6.addr ) ) { buf_printf(&out, "%s", print_in_addr_t(maddr.v4mappedv6.addr, @@ -454,7 +470,6 @@ buf_printf(&out, "UNKNOWN"); break; } - buf_printf(&out, "|%d", maddr.proto); return BSTR(&out); } else diff --git a/src/openvpn/mroute.h b/src/openvpn/mroute.h index 2659695..fbe102a 100644 --- a/src/openvpn/mroute.h +++ b/src/openvpn/mroute.h @@ -72,6 +72,9 @@ /* Indicates than IPv4 addr was extracted from ARP packet */ #define MR_ARP 16 +/* Address type mask indicating that proto # is part of address */ +#define MR_WITH_PROTO 32 + struct mroute_addr { uint8_t len; /* length of address */ uint8_t proto; diff --git a/src/openvpn/mtcp.c b/src/openvpn/mtcp.c index 62ed044..9a8b1cb 100644 --- a/src/openvpn/mtcp.c +++ b/src/openvpn/mtcp.c @@ -111,6 +111,7 @@ ASSERT(mi->context.c2.link_sockets[0]->info.lsa->actual.dest.addr.sa.sa_family == AF_INET || mi->context.c2.link_sockets[0]->info.lsa->actual.dest.addr.sa.sa_family == AF_INET6 ); + mi->real.proto = mi->context.c2.link_sockets[0]->info.proto; if (!mroute_extract_openvpn_sockaddr(&mi->real, &mi->context.c2.link_sockets[0]->info.lsa->actual.dest, true)) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 9c8c014..b0e1941 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -794,7 +794,6 @@ { goto err; } - mi->real.proto = ls->info.proto; generate_prefix(mi); } @@ -3942,7 +3941,8 @@ } static int -management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port) +management_callback_kill_by_addr(void *arg, const in_addr_t addr, + const int port, const int proto) { struct multi_context *m = (struct multi_context *) arg; struct hash_iterator hi; @@ -3957,6 +3957,7 @@ saddr.addr.in4.sin_port = htons(port); if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true)) { + maddr.proto = proto; hash_iterator_init(m->iter, &hi); while ((he = hash_iterator_next(&hi))) {