From patchwork Wed Apr 22 05:56:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4906 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:66c6:b0:84a:48f:a1fd with SMTP id x6csp2815379mal; Tue, 21 Apr 2026 22:56:58 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/ybBJ1auqpFcMRbGRZOzb/Gep8YU5IhaYad6Ixvbs2SzkIWB4GFyF2gJgofQPj/cRvWS7EH1+Y5bg=@openvpn.net X-Received: by 2002:a05:6870:720d:b0:40e:e3f6:bc9e with SMTP id 586e51a60fabf-42abf2149admr13558078fac.7.1776837418546; Tue, 21 Apr 2026 22:56:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1776837418; cv=none; d=google.com; s=arc-20240605; b=TizVIPTElcPThWAcrftMmR3wgiGKiP/5CKN289uYwGuI5jo6YX2N0/m7Sksi+7go6h 6xevhbOtilVOtkf3EszpPZs9M+3vnBegxxuHpSbdBTCQoeq2yorqh1lt4CR2yl1oFnRF z8/mi0MtZeENWyshyCXNnxkqUFwDpecSBoO8AU8H8uQCkiwSlDy3NMG9FrIkEVWz3RLF /pLkeS9D3nLRsJpTpd1khDVfz/KHnBb/qaxwh/XIwd9j2SN1QlAyK3f6zYkUrylGPVmW 3Tg0+CGaej//kxSqAv4PCu929MQczgFe8biXHx95pY/woq7pufgFcJ/WQzNCElp3GH7m J+Kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=V8IlR+nsKBLE7bYhIJb+zmyxqedj8vyWXx+o69/aDKY=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=MC+qStHKMOgTuQmJyZcLCn2CV+CHCWv0xH81qrFa1VJWujnFKuTl4WuLdq0UVpo5Is qXDJT8H0U5vZqcr8/K+rUOMqKBDNeAsKFcMmO99dvYrCDz/gkdOX56tFad4uigT/eLP7 oZpvh+SJ2qdLtDlxOryYYHtgqXIBiyrEpca4I6w4OjNmgs3QzjAsY+XyAP4g86FBr2lj 4/J+zCQ6PXrq/lcNj1KebL/zjJAB0Xz6mr6F73o/rjmtYM2sPj6jXLAYhGXVJ1+X3Kzh Cjc3fhNOHVOH4sTGFrDIqEJEWJqGEmtFZriz+75lcRJIDqjzEJD5m0+/NroAhYMYXaDQ Y3fw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=fvcrMBvQ; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=epOCiD5q; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=lkGeCWD4; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-42fc284ad79si1004515fac.173.2026.04.21.22.56.57 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Apr 2026 22:56:58 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=fvcrMBvQ; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=epOCiD5q; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=lkGeCWD4; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=V8IlR+nsKBLE7bYhIJb+zmyxqedj8vyWXx+o69/aDKY=; b=fvcrMBvQ+NEehmXYucJhAOwv1G 2bh6Q+3HrrLRC6K7bqpbbY6PtR+24ajprWUpTUhFc1W95nqutCaR9sD5k0Y3KfmGX3vB54wXiw95L AU9EQg7VOnqWWmRCdnqI/S7DLQQ5pRc/KFU0vX6HNqZOXK1JM433BtVxPpz1ycbM/cvM=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wFQZv-0007fK-75; Wed, 22 Apr 2026 05:56:52 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wFQZt-0007f4-Qa for openvpn-devel@lists.sourceforge.net; Wed, 22 Apr 2026 05:56:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=AoonzbZmgipe98Z4fXUx/9sSMKMutz+Lo7K8Z1Gf4gg=; b=epOCiD5q0h3DwVFcHJkvH5SEs8 59CSNDHT0vfGuHX3XlgLK0qftyP5krWdoaendP9IN0Rnh4SLlQZmEnW8RhTnFrcBLZDccHKwtpeWe +nTW49mssxHWq8Ne6LlF0z92CzcH7RSnVowXZEgtMXLWn9CfOmx55AAi9BmaVbqhgHyQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=AoonzbZmgipe98Z4fXUx/9sSMKMutz+Lo7K8Z1Gf4gg=; b=lkGeCWD4UFx/5iRGdGjWSDm1b+ LX2EVtWJCjLxwHKQ5VIeZ4MmPBZcWrOrf9T1bJyevGlscAvEyoIrzk5D06yvn4nqWjkRkkpa6Ddnt 9yZeocxEMRWsKtifkk8QT91Fsy3vn7CbZscKcwGU/cWgML5zmiPRpuXwe1DZr6/UyHeg=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wFQZt-0008NP-Eu for openvpn-devel@lists.sourceforge.net; Wed, 22 Apr 2026 05:56:50 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 63M5ub6P020725 for ; Wed, 22 Apr 2026 07:56:37 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 63M5ubT5020724 for openvpn-devel@lists.sourceforge.net; Wed, 22 Apr 2026 07:56:37 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 22 Apr 2026 07:56:30 +0200 Message-ID: <20260422055636.20691-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Ralf Lici The unconditional ifindex check introduced by commit e78a8af2f5ce rejects legitimate kernel replies, specifically peer stats responses, because those messages do not carry OVPN_ATTR_IFINDEX. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1wFQZt-0008NP-Eu Subject: [Openvpn-devel] [PATCH v1] dco-linux: enforce ifindex only for DEL_PEER notifications X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1863149072997084063?= X-GMAIL-MSGID: =?utf-8?q?1863149072997084063?= From: Ralf Lici The unconditional ifindex check introduced by commit e78a8af2f5ce rejects legitimate kernel replies, specifically peer stats responses, because those messages do not carry OVPN_ATTR_IFINDEX. Move the check into ovpn_handle_del_peer() so it applies only to spontaneous DEL_PEER notifications from the kernel. This keeps response handling working while still filtering foreign-instance notifications. Fixes: e78a8af2f5ce ("dco: backport immediate notification processing on Linux and FreeBSD") Github: closes OpenVPN/openvpn#1020 Change-Id: I9b1f4fd06c8a02d3f51b6a3bdea2f92191669660 Signed-off-by: Ralf Lici Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1636 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1636 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index 8ce7026..1df56cf 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -857,6 +857,23 @@ static int ovpn_handle_del_peer(dco_context_t *dco, struct nlattr *attrs[]) { + /* we must know which interface this message is referring to in order to + * avoid mixing messages for other instances + */ + if (!attrs[OVPN_ATTR_IFINDEX]) + { + msg(D_DCO, "ovpn-dco: Received message without ifindex"); + return NL_STOP; + } + + uint32_t ifindex = nla_get_u32(attrs[OVPN_ATTR_IFINDEX]); + if (ifindex != dco->ifindex) + { + msg(D_DCO_DEBUG, "ovpn-dco: ignoring message for foreign ifindex %d", + ifindex); + return NL_SKIP; + } + if (!attrs[OVPN_ATTR_DEL_PEER]) { msg(D_DCO, "ovpn-dco: no attributes in OVPN_DEL_PEER message"); @@ -930,23 +947,6 @@ return NL_STOP; } - /* we must know which interface this message is referring to in order to - * avoid mixing messages for other instances - */ - if (!attrs[OVPN_ATTR_IFINDEX]) - { - msg(D_DCO, "ovpn-dco: Received message without ifindex"); - return NL_STOP; - } - - uint32_t ifindex = nla_get_u32(attrs[OVPN_ATTR_IFINDEX]); - if (ifindex != dco->ifindex) - { - msg(D_DCO_DEBUG, "ovpn-dco: ignoring message for foreign ifindex %d", - ifindex); - return NL_SKIP; - } - /* based on the message type, we parse the subobject contained in the * message, that stores the type-specific attributes. *