From patchwork Fri Jun 5 18:09:25 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4997 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:bc1d:b0:861:c897:cb9d with SMTP id jc29csp433250mab; Fri, 5 Jun 2026 11:09:53 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ99JQ31NUOSvE56uU6W5FelB4GVolQDA9M1sgjBoOPFS7cnsCvYJ8WxY9p4rqh+GolrQWXtAFHn0iY=@openvpn.net X-Received: by 2002:a05:6808:23ca:b0:486:3498:d1ae with SMTP id 5614622812f47-4868dd3b301mr3049475b6e.18.1780682993051; Fri, 05 Jun 2026 11:09:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780682993; cv=none; d=google.com; s=arc-20240605; b=eIFLMKRB69aGtGxTUhp4tiNarm9ajUYXODwKA8Ahu40knPNExdCO4woJHb4meZqiue UY8XJgCgWRdHCxAo6dSocRZyQMBPytcjUI+gIER6lnbHCyEHdq+BZuQza7wszqTKhjCs 5gwJ4MNsfSwHUH2G2nzzIwYWzdY1lcEqcTgIMNTaAU7GlS5Bfqob8ZJNzswtUGHCU4uV snlhAYQlFNb07jAQ97WhszLS4UPQX1TLJaDPz/MoTJvOOo8Ww93Iwa97ut9kTrTJ8ia0 wLvp2I6kpG250eyxCNE6pJR51o6h5KfkWXudriPmr1K6cglDKYBtQmNo24+HpVZ1Pmge CiaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=5zChISPRRabAyxowfI51r6SEXK8gVH9b1v90jDdKVJw=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=EI4CIsZYxKzpw59JthiJ5/yUsHcPzu2HFntVD+iY/IHUbO6dKzBeEHyce3MGIVx7zw m0zb7apV7NngTWgjJW7pkcmgcJPzj4jMHwegey3jpU7KbXcQs5La6P3RIxPzxSF3SJy4 vAmte3VKX53ILBa3AfkFjkBjJKgeamc4wIijQlurIC6e/I4akdVecRQEx0OwyMDQQ4RY h0HdH/fG/I4cvThUmu8Epno8xYXqyL0ue+uFU4hA9yY9Tnw58iCnJjzJmGWYkijnYJDF KXKtQ4bspIATf4pRpiApfGMvjxOfLOIGdoHkCpUYmRUmWG7jxrMT0ehXW6D4LTWX/YRS ctgw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=j13L25M3; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="b/my7nWy"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=OSJC5BW9; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7e6e74731ccsi6783562a34.41.2026.06.05.11.09.52 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Jun 2026 11:09:53 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=j13L25M3; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="b/my7nWy"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=OSJC5BW9; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=5zChISPRRabAyxowfI51r6SEXK8gVH9b1v90jDdKVJw=; b=j13L25M3z4IDTYOAWUZGZZ4v1P CwpTyVCYEYU3S0NMNo0bCxvuTwMrIwBN8cWkMivNjq+LpV059IK3LfHQLKPuM87bDv9c8rLXxBuAQ +b9TUnMTOPdhABDKWTgHAEOwQa3qZ/Nym87LJt5zdfO4caQF9fdvYCPA8j0e6EQ4e584=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wVYzK-0006Rl-4B; Fri, 05 Jun 2026 18:09:46 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wVYzI-0006Rf-4A for openvpn-devel@lists.sourceforge.net; Fri, 05 Jun 2026 18:09:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=lfvUY4VWiN17IWp50/psskd76wQE9gGnDrZZBj2Hwck=; b=b/my7nWy48DhbAMqH66/Sftp1e AzgXsr8kJv/H+/xXDcfVWGpxmGiRSRLoy+XDgCXh5NHwzJAck0OLvZTW2pZQSGimacTsdIHrBTDtN y9fHtADIKWXH+kKlIolYXHCj+RwwB2qzieooepqbUdXSrgyTzXpmyz+Xv3WSvR2a/GMo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=lfvUY4VWiN17IWp50/psskd76wQE9gGnDrZZBj2Hwck=; b=OSJC5BW98kKL9E6OGBuhrvpQfD TBSsVig0RE6a32u/8PBV7kNI1AYd/u3Uy06MEcczZUul+of8Ag1lww9LCk4BKGrorlUfa1Y4IjHp1 jxzxC0Qsr/xvxiJSx01df/Nj3ope5VfgRFdEfCJYDmHD7jxQcC8319K2GxvlcIOayikA=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wVYzH-0002LL-5h for openvpn-devel@lists.sourceforge.net; Fri, 05 Jun 2026 18:09:44 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 655I9VNW003570 for ; Fri, 5 Jun 2026 20:09:31 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.2/8.18.1/Submit) id 655I9Vbt003569 for openvpn-devel@lists.sourceforge.net; Fri, 5 Jun 2026 20:09:31 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Fri, 5 Jun 2026 20:09:25 +0200 Message-ID: <20260605180931.3547-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe The normal path ensure that the minimum tun mtu is set to at least TUN_MTU_MIN. However, the pushed options path does not have this restriction. Check that the tun-mtu is within the limits of min/max mtu in options.c. This ensure that the check is also correctly done on the pushed variant. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1wVYzH-0002LL-5h Subject: [Openvpn-devel] [PATCH v1] Ensure pushed tun-mtu is no lower than TUN_MTU_MIN X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1867181449836759485 X-GMAIL-MSGID: 1867181449836759485 From: Arne Schwabe The normal path ensure that the minimum tun mtu is set to at least TUN_MTU_MIN. However, the pushed options path does not have this restriction. Check that the tun-mtu is within the limits of min/max mtu in options.c. This ensure that the check is also correctly done on the pushed variant. Also add an extra check to keep the allowed payload for icmp6 packets to be at least 64 bytes in the the block-ipv6 code path (ipv6_send_icmp_unreachable) as extra layer of defence. Pushing a low mtu like 1 and also block-ipv6 could trigger an assertion in the ipv6_send_icmp_unreachable code path. Reported-By: Haiyang Huang Change-Id: Iff8b336126a5dff9871213664b1e8585fb70d21e Signed-off-by: Arne Schwabe Acked-by: MaxF Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1707 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1707 This mail reflects revision 1 of this Change. Signed-off-by line for the author was added as per our policy. Acked-by according to Gerrit (reflected above): MaxF diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 27cfd36..d24f534 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1598,7 +1598,9 @@ * frame should be <= 1280 and have as much as possible of the original * packet */ - const int max_payload_size = min_int(MAX_ICMPV6LEN, c->c2.frame.tun_mtu - icmpheader_len); + int max_payload_size = min_int(MAX_ICMPV6LEN, c->c2.frame.tun_mtu - icmpheader_len); + /* Ensure that minimum payload size is at least 64 bytes as extra safety layer */ + max_payload_size = max_int(max_payload_size, 64); const int payload_len = min_int(max_payload_size, BLEN(&inputipbuf)); const uint16_t icmp_len = (uint16_t)(sizeof(struct openvpn_icmp6hdr) + payload_len); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index ca8109c..8f07e75 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -68,6 +68,11 @@ */ #define TUN_MTU_DEFAULT 1500 +/** + * Maximum MTU we accept for MTU related options + */ +#define TUN_MTU_MAX 65536 + /* * Minimum maximum MTU */ diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 0c2866c..128d1e5 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6409,26 +6409,28 @@ else if (streq(p[0], "tun-mtu") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_PUSH_MTU | OPT_P_CONNECTION); - options->ce.tun_mtu = positive_atoi(p[1], msglevel); - options->ce.tun_mtu_defined = true; - if (p[2]) + if (atoi_constrained(p[1], &options->ce.tun_mtu, "tun-mtu", TUN_MTU_MIN, TUN_MTU_MAX, msglevel)) { - options->ce.occ_mtu = positive_atoi(p[2], msglevel); - } - else - { - options->ce.occ_mtu = 0; + options->ce.tun_mtu_defined = true; + if (p[2]) + { + atoi_constrained(p[2], &options->ce.occ_mtu, "tun-mtu occ-mtu", TUN_MTU_MIN, TUN_MTU_MAX, msglevel); + } + else + { + options->ce.occ_mtu = 0; + } } } else if (streq(p[0], "tun-mtu-max") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION); - atoi_constrained(p[1], &options->ce.tun_mtu_max, p[0], TUN_MTU_MAX_MIN, 65536, msglevel); + atoi_constrained(p[1], &options->ce.tun_mtu_max, p[0], TUN_MTU_MAX_MIN, TUN_MTU_MAX, msglevel); } else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION); - if (atoi_constrained(p[1], &options->ce.tun_mtu_extra, p[0], 0, 65536, msglevel)) + if (atoi_constrained(p[1], &options->ce.tun_mtu_extra, p[0], 0, TUN_MTU_MAX, msglevel)) { options->ce.tun_mtu_extra_defined = true; }