From patchwork Mon Jun 8 13:32:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 5010 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:bc1d:b0:861:c897:cb9d with SMTP id jc29csp1885287mab; Mon, 8 Jun 2026 06:33:18 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/GwQ3KYg/4WugDTyU1RVGoCCX+MPlw1DLrOT+yIqRRWyxidjV76rhp3jE+qLnq72knJEAuP/vgx+0=@openvpn.net X-Received: by 2002:a05:6870:f61c:b0:43e:5d18:e7e7 with SMTP id 586e51a60fabf-4413d854f5emr8314706fac.25.1780925597895; Mon, 08 Jun 2026 06:33:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780925597; cv=none; d=google.com; s=arc-20240605; b=h2DYODh5fRMTTPjnBrbdo/WdYq6eeTvOawOmttJz71fotGbQgudoBwgMhPLsgN7Dj3 G7mzCOtzCNwoEmN4El9erH5RdS55XU3zW4ei4e2ccK9IAnhRYIgrjgiIzFOUy3MMmkX/ pIPOE7AzcyjyUgCcUFrs/guvApyLGR8E98FrcXkLYhqaTjHUM+7Z2UsK6iap3opRWCy6 fQskVuWEOF4wOAc3t6MqTO+LEBRLFCWuyYNCqUg5/29Iifgm5lz3oHdXOnUAbjXPBtOE pW51HNoMAXdmAP4BDH5gqs00uuthA2WIdB0b/C9p76PGIWrssehq1Jv2RxhbleUUtdf5 uyNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=sihv14qL/NYG8Vm1v41cAf20MnZRabmtEcW0zJqw81A=; fh=BsMg/B0Yb/hS/rzP5Npz4luh0IleZm8REk1XWiWRt2A=; b=ScwjrvpXQa8bdhbCk/v0tWG9EWPcCOYEPMX/eCJDwNWcAhZpFyyEJrgATXDTQLXt2Z GrBXqbq/6uCGK2QiYdzjIXafCgSwT5pbGjMmh4d/7fnYEqUfYmjDf3D0Lv7bUtn8QbhA zC7hYFe//YIXmW5P3zueW08nK1Lhf2GlAMhfjr8byBmwqbbcxulbUR2ke+Vcp4gTLsz6 lTXQrfsvRQSyUtya4j0zMIz8IGBJdEdb9eDHMBoUgqm2rTA2zgbNe35grp5gmapC4JxO cTZAIzFMFTiYzonv90kmrpNHX5E18ysdfAsoYEGJFTsI/icTygsqjvF2UY0ppfFvsPNK uvCw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=DoUomnz+; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=JtCdBbOt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=PR7XeS54; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=SWOjuNmi; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-440d8848d39si13013687fac.315.2026.06.08.06.33.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Jun 2026 06:33:17 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=DoUomnz+; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=JtCdBbOt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=PR7XeS54; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=SWOjuNmi; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=sihv14qL/NYG8Vm1v41cAf20MnZRabmtEcW0zJqw81A=; b=DoUomnz+PaVdPaOCJacuzPsCcg 53QaiV2AJGD9KSKdZWboW5aSc2K3WIdGh5QfBXi9RPrLzHyetFx1CKpmUDt5NAN490DIsUCpcbhd6 tyZRTv5aqFXtgPuprgpJE97jS42cJLQaTCQgm2fMk2Q0TMTNfrtxq0Ihs8sTdRR7M06U=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wWa6N-0003OH-6b; Mon, 08 Jun 2026 13:33:15 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wWa6K-0003Nw-DX for openvpn-devel@lists.sourceforge.net; Mon, 08 Jun 2026 13:33:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=adDWVCSSk383woR3Mgckz7wFutvD2s6h4QcW7/qgDKk=; b=JtCdBbOt54WxYwb5ud7o5lEkiB +7x73+38QrEDtaB0xzwFfCR3192wUzAtVNJJrtnM20MNGLEETDfGGAuutK2nNfajktmHtnhqV/tbW T2yPI/SS38HvhShW97MPX5wBPHKwDkoOCiBxvcGT5iKVhQN574yrVCVM1cJd/FaMijaI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=adDWVCSSk383woR3Mgckz7wFutvD2s6h4QcW7/qgDKk=; b=PR7XeS54JyDnASu3L+TZkZ//u0 BG5VwM/vnCW7a4VIz/RlN9KWwm1mc/nFKVoVPGd798D0xr7hSkle7J2s0ddPsanp76pMLDrzG/PA3 TsF5ycgrYGsKx81Vb3ND2zNTsQ4Gahq0DEG3Tn0QrKnHHWxmVMrNy2DJo5+G9LD3f3bQ=; Received: from mout-p-202.mailbox.org ([80.241.56.172]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wWa6I-0004wb-Eb for openvpn-devel@lists.sourceforge.net; Mon, 08 Jun 2026 13:33:12 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [IPv6:2001:67c:2050:b231:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4gYtJp1pP9z9tPH; Mon, 8 Jun 2026 15:32:58 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unstable.cc; s=MBO0001; t=1780925578; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=adDWVCSSk383woR3Mgckz7wFutvD2s6h4QcW7/qgDKk=; b=SWOjuNmiYTpKMwMiZg3Gy19RAvXNXnsaKgZDe2GVkAx/erM0UlOWLGZZK2L90SJdhxixhs vYh1cF1kYOqisM+K79newmuXFUnbo6iHHwV4Uni44ZDvEIjQl/gAGNv5CDkkYKVQ6a0Cii tG3scAwqt+fWxpPThEjQ9MxGp7pY7FA4jKe5iAiawha9gsyc787kYUcpdQUD1P335nqfbH /9GezyICuayPbXn/Tqnaoi3E9F2+ruDt3JeR+1k1f39rRnf3dTRZxGGdPspS40tqXy3emM t4oAuM1Y4BqneiR2tmDVztwOr0sXpPom36hpAnlQoQ3M+03x1NmZC5lLd0N7HA== Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of a@unstable.cc designates 2001:67c:2050:b231:465::102 as permitted sender) smtp.mailfrom=a@unstable.cc From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Mon, 8 Jun 2026 15:32:48 +0200 Message-ID: <20260608133251.3128542-6-a@unstable.cc> In-Reply-To: <20260608133251.3128542-1-a@unstable.cc> References: <20260608133251.3128542-1-a@unstable.cc> MIME-Version: 1.0 X-Rspamd-Queue-Id: 4gYtJp1pP9z9tPH X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli ovpn_peer_endpoints_update() builds the new remote endpoint in an on-stack struct sockaddr_storage that is left uninitialized. For IPv4 only sin_family/sin_addr/sin_port are written, leaving the 8-byt [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H5 RBL: Excellent reputation (+5) [80.241.56.172 listed in wl.mailspike.net] -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1wWa6I-0004wb-Eb Subject: [Openvpn-devel] [PATCH ovpn net v2 6/9] ovpn: zero-initialize sockaddr before learning a floated endpoint X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1867435839535776539 X-GMAIL-MSGID: 1867435839535776539 From: Antonio Quartulli ovpn_peer_endpoints_update() builds the new remote endpoint in an on-stack struct sockaddr_storage that is left uninitialized. For IPv4 only sin_family/sin_addr/sin_port are written, leaving the 8-byte sin_zero padding as stack garbage (for IPv6, sin6_flowinfo is left uninitialized likewise). ovpn_peer_reset_sockaddr() -> ovpn_bind_from_sockaddr() then memcpy()s sizeof(struct sockaddr_in)/sizeof(struct sockaddr_in6) bytes - padding included - into bind->remote. That buffer is later hashed with jhash() over the same length to place the peer in the by_transp_addr table, so the garbage padding lands the floated peer in an essentially random bucket. Lockless lookups in ovpn_peer_get_by_transp_addr() build their key from a zero-initialized sockaddr_storage, compute a different bucket and fail to find the peer. This is also a plain use of uninitialized stack memory in jhash(). Zero-initialize the sockaddr_storage, matching what the lookup and netlink paths already do. Fixes: f0281c1d3732 ("ovpn: add support for updating local or remote UDP endpoint") Signed-off-by: Antonio Quartulli --- drivers/net/ovpn/peer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c index ee88251f2196..4aa5edc75dec 100644 --- a/drivers/net/ovpn/peer.c +++ b/drivers/net/ovpn/peer.c @@ -220,7 +220,7 @@ static void __ovpn_peer_hash_transp_addr(struct ovpn_peer *peer, */ void ovpn_peer_endpoints_update(struct ovpn_peer *peer, struct sk_buff *skb) { - struct sockaddr_storage ss; + struct sockaddr_storage ss = {}; struct sockaddr_in6 *sa6; bool reset_cache = false; struct sockaddr_in *sa;