diff mbox series

[Openvpn-devel,v1] dco-linux: enforce ifindex only for DEL_PEER notifications

Message ID 20260422055636.20691-1-gert@greenie.muc.de
State New
Headers show
Series [Openvpn-devel,v1] dco-linux: enforce ifindex only for DEL_PEER notifications | expand

Commit Message

Gert Doering April 22, 2026, 5:56 a.m. UTC 
From: Ralf Lici <ralf@mandelbit.com>

The unconditional ifindex check introduced by commit e78a8af2f5ce
rejects legitimate kernel replies, specifically peer stats responses,
because those messages do not carry OVPN_ATTR_IFINDEX.

Move the check into ovpn_handle_del_peer() so it applies only to
spontaneous DEL_PEER notifications from the kernel. This keeps
response handling working while still filtering foreign-instance
notifications.

Fixes: e78a8af2f5ce ("dco: backport immediate notification processing on Linux and FreeBSD")
Github: closes OpenVPN/openvpn#1020
Change-Id: I9b1f4fd06c8a02d3f51b6a3bdea2f92191669660
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1636
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to release/2.6.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1636
This mail reflects revision 1 of this Change.

Acked-by according to Gerrit (reflected above):
Gert Doering <gert@greenie.muc.de>

Comments

Gert Doering April 22, 2026, 7:05 a.m. UTC | #1 
Tested this (on Ubuntu 20.04 with old-DCO) and I can confirm that 
management "status" is now back to working.  Comparison to 2.7/master
also clarified what went wrong in the previous backport commit.

Didn't test this on other platforms as only dco_linux.c is changed
(BB did, of course).

Your patch has been applied to the release/2.6 branch.

commit adece45628f78aa8f1f997850095bc9a57caefbe (release/2.6)
Author: Ralf Lici
Date:   Wed Apr 22 07:56:30 2026 +0200

     dco-linux: enforce ifindex only for DEL_PEER notifications

     Signed-off-by: Ralf Lici <ralf@mandelbit.com>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1636
     Message-Id: <20260422055636.20691-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36721.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index 8ce7026..1df56cf 100644
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -857,6 +857,23 @@ 
 static int
 ovpn_handle_del_peer(dco_context_t *dco, struct nlattr *attrs[])
 {
+    /* we must know which interface this message is referring to in order to
+     * avoid mixing messages for other instances
+     */
+    if (!attrs[OVPN_ATTR_IFINDEX])
+    {
+        msg(D_DCO, "ovpn-dco: Received message without ifindex");
+        return NL_STOP;
+    }
+
+    uint32_t ifindex = nla_get_u32(attrs[OVPN_ATTR_IFINDEX]);
+    if (ifindex != dco->ifindex)
+    {
+        msg(D_DCO_DEBUG, "ovpn-dco: ignoring message for foreign ifindex %d",
+            ifindex);
+        return NL_SKIP;
+    }
+
     if (!attrs[OVPN_ATTR_DEL_PEER])
     {
         msg(D_DCO, "ovpn-dco: no attributes in OVPN_DEL_PEER message");
@@ -930,23 +947,6 @@ 
         return NL_STOP;
     }
 
-    /* we must know which interface this message is referring to in order to
-     * avoid mixing messages for other instances
-     */
-    if (!attrs[OVPN_ATTR_IFINDEX])
-    {
-        msg(D_DCO, "ovpn-dco: Received message without ifindex");
-        return NL_STOP;
-    }
-
-    uint32_t ifindex = nla_get_u32(attrs[OVPN_ATTR_IFINDEX]);
-    if (ifindex != dco->ifindex)
-    {
-        msg(D_DCO_DEBUG, "ovpn-dco: ignoring message for foreign ifindex %d",
-            ifindex);
-        return NL_SKIP;
-    }
-
     /* based on the message type, we parse the subobject contained in the
      * message, that stores the type-specific attributes.
      *