From patchwork Fri Nov 14 11:50:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4597 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6d04:b0:7b1:439f:bdf with SMTP id e4csp1463325may; Fri, 14 Nov 2025 03:50:47 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCV446EAs2b11BqYshp3k6MS1Yith7lRgOmfMSK/sz48WhHzojGQotWZyZygmI/6NSktwi5m5AegJwI=@openvpn.net X-Google-Smtp-Source: AGHT+IHOmvGZnXSTdRqI9QMxLT9wqJRdVHIBGup64DQckb19IUEDoZJnU7RwucKDI2ZidzHhM4Yb X-Received: by 2002:a05:6808:17a4:b0:450:474b:2736 with SMTP id 5614622812f47-45097559c61mr1255157b6e.45.1763121047687; Fri, 14 Nov 2025 03:50:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1763121047; cv=none; d=google.com; s=arc-20240605; b=iREYr1yA9JRCSXYL37cvh3XQ99Ev9/FoK0x0pi4EniyF5wU4trG8n7WplGo6BANosu kHDxOzjPtYLwVK4kenaw414m+yS881ZM3Rup8ilcaZb4nEYm4bYzHRf+ykk9X2h01gJp v3B2j8VpvTM7H1Y34K1tNA2Ff9VMBnJ9TcDZ33jXr4OSHQAd5GBpyP+fhZKYhPJpYHMC PwdRr66AJS74u0NZc+3rhl7AntZCFo/StdkkQN+mFXVkCQDH9cJhtHPlPpy45P2HPLeG 4MkvBfJlowgwwamEbyi8/k9YNh5eQo3dG4zTM+mZHl4yQIplaT5P9ZgebojasjUbqqkS TsqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=one8Dfiq8gKe9vbAvh4x0iClJHOLd7MDVhoY95hw30k=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=HvKoiAwMOPY0yppW3A9Zm9c19YE5a/FHBkAaqynx51XZA8grL12rusa3LihW7bOLpN /myJCKchBVPHiBMEgccfYch1pRRidYhZqOtcveF4SlIzNxlgFSP5+iUsM4SvdKdAktrq U9HeiYGAcFM5CvrQhspbs8o8uwDhm/G8IMVBH/DPkblSZcRARv7HN896DXRoLcv9oyTC V2/RA6U1lSyEsVsrwBMaX6qnSk4uS15wBhiYX4ef310HRyUQXthXmTtC6I+Pl4bysybj r0WOuywHuPAwPNYthkhXvRSdYldjnFWi7anzuZDlb8HLCN/AJGwQN4+BnCb5NT0yGcmD I7Vw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Ne4rgLF7; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="aSnWe/LS"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=QnfblB7s; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-4508a563903si1444534b6e.115.2025.11.14.03.50.47 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 14 Nov 2025 03:50:47 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Ne4rgLF7; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="aSnWe/LS"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=QnfblB7s; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=one8Dfiq8gKe9vbAvh4x0iClJHOLd7MDVhoY95hw30k=; b=Ne4rgLF7MURaMV6Nz9I8fnl7U5 vu3gZFgR2uK+ke1s+dGl6guZjY1rfYUJeCfG40Ipez06ggj69FWGvvMYV/CiLdGodcPpn2eWsqWMB D5CFoAjcVUBOmAi2w2h9VJNULnIfF1xAqr9SzwSsPSlbbmWAaGN+HvLO6bb+1wcGL/Zk=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vJsKB-0008UV-BK; Fri, 14 Nov 2025 11:50:44 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vJsK9-0008UN-Mv for openvpn-devel@lists.sourceforge.net; Fri, 14 Nov 2025 11:50:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=MAMTxBKRtow3clH9xX9bIAmRuzOPVx+REJkd4Fu17ig=; b=aSnWe/LSjhjmS8Z6Mn29BZn7qN uwT/wwgsR/AlpyJ3PKNpljoL8PXnsZylIXPiYFtOPGnzJ6vxAVuv4c4ucQvp1NkFEj0vvUJure4Si 2YbvQEXjSFxdX4oP7gzsa3Y+8NnITKfGCb9bi2exWVjMSK4jrKupvvPZ/PT0FrhH+yDc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=MAMTxBKRtow3clH9xX9bIAmRuzOPVx+REJkd4Fu17ig=; b=QnfblB7sg6U7isgqdyL0WfRziK xNW1lfqcPLsws5/fPWNyiXBRVglFt/yYI8MepTG7yERgBKg34jZB5TtELt4ClYFSM+LhF0wrKOcrx ro3LnI3f3vllUw4L+61UEk6LxgQzhTU6fe4qJrtCp7n2fwxVFWMBXaPtRdCDhKDl/xxs=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vJsK9-0006co-D1 for openvpn-devel@lists.sourceforge.net; Fri, 14 Nov 2025 11:50:42 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5AEBoTGs017451 for ; Fri, 14 Nov 2025 12:50:29 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5AEBoTQ7017450 for openvpn-devel@lists.sourceforge.net; Fri, 14 Nov 2025 12:50:29 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Fri, 14 Nov 2025 12:50:22 +0100 Message-ID: <20251114115029.17432-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov - get rid of atoi() for getting the remote transport port. It doesn't change, so no point to do in on every packet. In addition, atoi() breaks when we use service names as ports. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vJsK9-0006co-D1 Subject: [Openvpn-devel] [PATCH v2] recursive routing: fixes and clean-ups X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1848766416039528694?= X-GMAIL-MSGID: =?utf-8?q?1848766416039528694?= From: Lev Stipakov - get rid of atoi() for getting the remote transport port. It doesn't change, so no point to do in on every packet. In addition, atoi() breaks when we use service names as ports. - ensure we correctly handle IPv4 headers with options - directly use buf parameter in place of c->c2.buf GitHub: #902 Change-Id: I8a0a8029da02fc63adc918e8d98e9f676ff4ea0d Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1377 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1377 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index aa1f858..90e52d2 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1382,15 +1382,24 @@ struct openvpn_sockaddr *link_addr = &c->c2.to_link_addr->dest; struct link_socket_info *lsi = get_link_socket_info(c); - uint16_t link_port = atoi(c->c2.link_sockets[0]->remote_port); int ip_hdr_offset = 0; - int tun_ip_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), &c->c2.buf, &ip_hdr_offset); + int tun_ip_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), buf, &ip_hdr_offset); if (tun_ip_ver == 4) { - /* make sure we got whole IP header and TCP/UDP src/dst ports */ - if (BLEN(buf) < ((int)sizeof(struct openvpn_iphdr) + ip_hdr_offset + sizeof(uint16_t) * 2)) + /* Ensure we can safely read the IPv4 header */ + const int min_ip_header = ip_hdr_offset + sizeof(struct openvpn_iphdr); + if (BLEN(buf) < min_ip_header) + { + return; + } + + struct openvpn_iphdr *pip = (struct openvpn_iphdr *)(BPTR(buf) + ip_hdr_offset); + const int ip_hlen = OPENVPN_IPH_GET_LEN(pip->version_len); + /* Reject malformed or truncated headers */ + if (ip_hlen < sizeof(struct openvpn_iphdr) + || BLEN(buf) < (int)(ip_hdr_offset + ip_hlen + sizeof(uint16_t) * 2)) { return; } @@ -1401,8 +1410,6 @@ return; } - struct openvpn_iphdr *pip = (struct openvpn_iphdr *)(BPTR(buf) + ip_hdr_offset); - /* skip if tun protocol doesn't match link protocol */ if ((lsi->proto == PROTO_TCP && pip->protocol != OPENVPN_IPPROTO_TCP) || (lsi->proto == PROTO_UDP && pip->protocol != OPENVPN_IPPROTO_UDP)) @@ -1410,9 +1417,10 @@ return; } - /* drop packets with same dest addr and port as remote */ - uint8_t *l4_hdr = (uint8_t *)pip + sizeof(struct openvpn_iphdr); + uint8_t *l4_hdr = (uint8_t *)pip + ip_hlen; + + uint16_t link_port = ntohs(link_addr->addr.in4.sin_port); /* TCP and UDP ports are at the same place in the header, and other protocols * can not happen here due to the lsi->proto check above */ @@ -1420,7 +1428,7 @@ uint16_t dst_port = ntohs(*(uint16_t *)(l4_hdr + sizeof(uint16_t))); if ((memcmp(&link_addr->addr.in4.sin_addr.s_addr, &pip->daddr, sizeof(pip->daddr)) == 0) && (link_port == dst_port)) { - c->c2.buf.len = 0; + buf->len = 0; struct gc_arena gc = gc_new(); msg(D_LOW, "Recursive routing detected, packet dropped %s:%" PRIu16 " -> %s", @@ -1433,7 +1441,8 @@ else if (tun_ip_ver == 6) { /* make sure we got whole IPv6 header and TCP/UDP src/dst ports */ - if (BLEN(buf) < ((int)sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset + sizeof(uint16_t) * 2)) + const int min_ipv6 = ip_hdr_offset + sizeof(struct openvpn_ipv6hdr) + sizeof(uint16_t) * 2; + if (BLEN(buf) < min_ipv6) { return; } @@ -1453,13 +1462,15 @@ return; } + uint16_t link_port = ntohs(link_addr->addr.in6.sin6_port); + /* drop packets with same dest addr and port as remote */ uint8_t *l4_hdr = (uint8_t *)pip6 + sizeof(struct openvpn_ipv6hdr); uint16_t src_port = ntohs(*(uint16_t *)l4_hdr); uint16_t dst_port = ntohs(*(uint16_t *)(l4_hdr + sizeof(uint16_t))); if ((OPENVPN_IN6_ARE_ADDR_EQUAL(&link_addr->addr.in6.sin6_addr, &pip6->daddr)) && (link_port == dst_port)) { - c->c2.buf.len = 0; + buf->len = 0; struct gc_arena gc = gc_new(); msg(D_LOW, "Recursive routing detected, packet dropped %s:%" PRIu16 " -> %s",