From patchwork Fri Jun 5 13:13:10 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralf Lici X-Patchwork-Id: 4994 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:bc1d:b0:861:c897:cb9d with SMTP id jc29csp220926mab; Fri, 5 Jun 2026 06:14:04 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/y/OOSnfyRxVE1XkGCuZFyvlUbDsXpNG7MKT2nebC8iuLXpp2vji9ySp2rOme1oEE9lAlGcoL9LWY=@openvpn.net X-Received: by 2002:a05:6820:4cc8:b0:696:13e9:6863 with SMTP id 006d021491bc7-69e6d30001emr894183eaf.2.1780665243875; Fri, 05 Jun 2026 06:14:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780665243; cv=none; d=google.com; s=arc-20240605; b=N2EHskRfE3Uwdiwqa4Y2GPyJbFjWD93BY5epUudza8taTz6a6i+cDJrxpEqJEc/jum 6D1NptpRkhx6EX/zvNRlvNdxHd6Xdum1FjlOGdHMPC1INI4trvg3wF3aNCiNWHq7e92G +zn0e4Wgepb7APtZ/4VHe4UJXVAMaOAQjDCfa5BNFUONmJtVPK8gPEOpL+NlK6jjJ6F9 g7fYj4HwBg8bW1o3G5yTD+C6n0rv8eTHZ18TJwDkj8gVawv6HeSZt36Om3hNIJvjd+Im 5MLEDc/SB8xBlPhqMUTiGNzSAD0uS6b6y9lsxpJyb0P1fB8GYjWNeAL9PnmWSJ+Fhshs k10w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=9whYV3I2D9sncm0YSwPmLsw37+1QF2SCrCak4Zfrrpc=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=DflwuDAqYjAD/eYFqOzUxdg0qsN/dL8CKh65bdCajFW4GLQRXEw1k2lixhGIzpwGyg F5RcIk+3e8Wwm5O84fm0ZGD4YmTITJN3+Hxa+17QleNn8P4rZybGUr/BzT6yTTEoOZWe Qc+M9cl4o5vPUpF5UcCYZPm9K3xxdTcpNdpE8Y9ZiW0DydxtVNvOpDg5GO8Um4YE9T51 /iMYbado3qFzeaXZr8t+VPNBHMm1PvgSIgUD0EJgGpvud+o8W85Suu2sSoI9Op6c4Kqk hZdLYPF0Im7gqvtC/yFLllOHKfJTkHL6FFwMXpPokgknfMgsduQPA90dkI98ycBR3RVX va1g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=JC7pyrQ8; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Q3CSiP5v; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=CFD+GIf7; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=eErxqmZw; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 006d021491bc7-69e46249262si5440625eaf.9.2026.06.05.06.14.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Jun 2026 06:14:03 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=JC7pyrQ8; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Q3CSiP5v; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=CFD+GIf7; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=eErxqmZw; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=9whYV3I2D9sncm0YSwPmLsw37+1QF2SCrCak4Zfrrpc=; b=JC7pyrQ8d1OVVkEVazh4pCv15u 8VmvtyIVzPLDfgPefXA8RBRdhIYwNNu6lmzTp8T2ttGJqBNMKuqzTcpePGC0//w8WjUg2zJbkeRtS ilBITElLJEtLHkOHrTcWszD+oYrpHa2Czgoo0srmgeULB4t9RJll6CP3w21R4Y43FRb0=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wVUN5-0008W5-Q3; Fri, 05 Jun 2026 13:14:00 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wVUN4-0008Vo-0D for openvpn-devel@lists.sourceforge.net; Fri, 05 Jun 2026 13:13:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=j9uEFeB5lXZ9wK9WAegMcuNlQwrvbaZtYgW0H+0x8PU=; b=Q3CSiP5vIulkKPILOP/NMaRumZ nq3LI/e/KFwYxbGCKg5UvsiNev2SqFTxSlQQ25CABZBWqHr7KAzh9zwE3GrpMeE19O6RcAfWYX5UW PQUdoxSRfliAsg38158Bb5+Hag5sSNvU8Pp6dTCCg6axnWspiVvF4nPmvhgyjdAT1ua4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=j9uEFeB5lXZ9wK9WAegMcuNlQwrvbaZtYgW0H+0x8PU=; b=CFD+GIf7DsRJpLHGzGeXHfQ+Pn OycjS6EJcca6q0Dc1WyVKUMp5htdbCP68UkeMLFZl5BW62Vf+fFjf4Q6duSBmj2HcK3rRzIvd1xB6 p5m4RySnB5gpIZQrnLSwYKrSPR0CIMqBxjV92xUdAv6B8qfsCKQDTGMnq5JoHw3gTilQ=; Received: from mout-b-206.mailbox.org ([195.10.208.51]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wVUN1-0006td-IL for openvpn-devel@lists.sourceforge.net; Fri, 05 Jun 2026 13:13:58 +0000 Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-206.mailbox.org (Postfix) with ESMTPS id 4gX21z2TrRz9xds; Fri, 5 Jun 2026 15:13:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com; s=MBO0001; t=1780665223; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j9uEFeB5lXZ9wK9WAegMcuNlQwrvbaZtYgW0H+0x8PU=; b=eErxqmZwNlJmNeuEu5JXGmso3k2v5MQ7jj7W6vLYYOmZbx+jtgzbkrY6GOS/s6iexn+N+Y fQFabZKiSTEbf7ekU9spBluGf+tgoZnPWilJ85ec7QtXYn1ETRnp70ot8ATfLyqIWQ1S9K JjxFatupfqrxJjmdat4e988hN4fyICQ+jhXwyc70tsXOlcMOcmg/3yMrY0r/F3lfxmaxQz M+K2WDPrDEsddihl/9Ib5doheT2gxytr+neX3htz2akFvIcB0qRCzi/sd2rPeC3hoOewwX jk/mkKusrSHfiOJl2HlhzTWToLiA8hy9tvYAp2mDrJjeeZcZZb9bo8ueDgr7OA== Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of ralf@mandelbit.com designates 2001:67c:2050:b231:465::2 as permitted sender) smtp.mailfrom=ralf@mandelbit.com From: Ralf Lici To: openvpn-devel@lists.sourceforge.net Date: Fri, 5 Jun 2026 15:13:10 +0200 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Queue-Id: 4gX21z2TrRz9xds X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: ovpn accepts a userspace-provided socket and a peer remote endpoint through netlink. For UDP peers, the remote endpoint family selects the transmit path used later by ovpn_udp_output. Reject UDP peer remotes that are incompatible with the socket state when they are configured through netlink. An IPv4 UDP socket cannot be used with an IPv6 remote endpoint, and an IPv6-only UDP socke [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1wVUN1-0006td-IL Subject: [Openvpn-devel] [PATCH ovpn net v2 3/4] ovpn: reject UDP remotes incompatible with socket family X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1867162838566952259 X-GMAIL-MSGID: 1867162838566952259 ovpn accepts a userspace-provided socket and a peer remote endpoint through netlink. For UDP peers, the remote endpoint family selects the transmit path used later by ovpn_udp_output. Reject UDP peer remotes that are incompatible with the socket state when they are configured through netlink. An IPv4 UDP socket cannot be used with an IPv6 remote endpoint, and an IPv6-only UDP socket cannot send to an IPv4 remote endpoint. Reporting this at setup time gives userspace a clear extack and avoids installing a peer that would immediately be unable to transmit. This validation only covers the socket state visible while the netlink request is handled. The socket remains owned by userspace after it is attached to ovpn, so userspace can later change properties such as IPV6_V6ONLY or IPV6_ADDRFORM. The transmit path therefore still has to re-check socket/remote compatibility before sending. Parse the remote endpoint once in the peer new/set paths and reject UDP remotes when the provided socket cannot send to them. Pass the parsed endpoint into the common peer modify helper so the validation and the stored endpoint use the same normalized sockaddr. Fixes: 1d36a36f6d53 ("ovpn: implement peer add/get/dump/delete via netlink") Signed-off-by: Ralf Lici --- Changes since v1 https://lore.kernel.org/openvpn-devel/20260526124544.425791-3-ralf@mandelbit.com/ - Reword the commit message to clarify that netlink validation is only setup-time diagnostics. - Use a single READ_ONCE snapshot of sk->sk_family in ovpn_nl_udp_remote_compatible. drivers/net/ovpn/netlink.c | 132 ++++++++++++++++++++++++++----------- 1 file changed, 94 insertions(+), 38 deletions(-) diff --git a/drivers/net/ovpn/netlink.c b/drivers/net/ovpn/netlink.c index 01ae5a40e31d..bcef99534294 100644 --- a/drivers/net/ovpn/netlink.c +++ b/drivers/net/ovpn/netlink.c @@ -271,15 +271,17 @@ static int ovpn_nl_peer_precheck(struct ovpn_priv *ovpn, * @peer: the peer to modify * @info: generic netlink info from the user request * @attrs: the attributes from the user request + * @remote: remote address, if provided * * Return: a negative error code in case of failure, 0 on success or 1 on * success and the VPN IPs have been modified (requires rehashing in MP * mode) */ static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info, - struct nlattr **attrs) + struct nlattr **attrs, + const struct sockaddr_storage *remote) { - struct sockaddr_storage ss = {}; + struct sockaddr_storage empty_remote = {}; void *local_ip = NULL; u32 interv, timeout; bool rehash = false; @@ -287,15 +289,15 @@ static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info, spin_lock_bh(&peer->lock); - if (ovpn_nl_attr_sockaddr_remote(attrs, &ss)) { + if (remote) { /* we carry the local IP in a generic container. * ovpn_peer_reset_sockaddr() will properly interpret it - * based on ss.ss_family + * based on remote->ss_family */ local_ip = ovpn_nl_attr_local_ip(attrs); /* set peer sockaddr */ - ret = ovpn_peer_reset_sockaddr(peer, &ss, local_ip); + ret = ovpn_peer_reset_sockaddr(peer, remote, local_ip); if (ret < 0) { NL_SET_ERR_MSG_FMT_MOD(info->extack, "cannot set peer sockaddr: %d", @@ -333,7 +335,7 @@ static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info, netdev_dbg(peer->ovpn->dev, "modify peer id=%u tx_id=%u endpoint=%pIScp VPN-IPv4=%pI4 VPN-IPv6=%pI6c\n", - peer->id, peer->tx_id, &ss, + peer->id, peer->tx_id, remote ?: &empty_remote, &peer->vpn_addrs.ipv4.s_addr, &peer->vpn_addrs.ipv6); spin_unlock_bh(&peer->lock); @@ -344,10 +346,43 @@ static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info, return ret; } +/** + * ovpn_nl_udp_remote_compatible - check if a UDP socket can use a remote + * @sk: UDP socket to validate + * @remote: remote endpoint to validate against the socket + * @extack: netlink extended ACK for reporting validation errors + * + * Return: 0 if the remote endpoint is compatible with the socket or a negative + * error code otherwise. + */ +static int ovpn_nl_udp_remote_compatible(const struct sock *sk, + const struct sockaddr_storage *remote, + struct netlink_ext_ack *extack) +{ + const unsigned short sock_family = READ_ONCE(sk->sk_family); + + if (sock_family == AF_INET && remote->ss_family == AF_INET6) { + NL_SET_ERR_MSG_FMT_MOD(extack, + "UDP socket is IPv4 but remote is IPv6"); + return -EAFNOSUPPORT; + } + + if (sock_family == AF_INET6 && ipv6_only_sock(sk) && + remote->ss_family == AF_INET) { + NL_SET_ERR_MSG_FMT_MOD(extack, + "UDP socket is IPv6-only but remote is IPv4"); + return -EAFNOSUPPORT; + } + + return 0; +} + int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info) { - struct nlattr *attrs[OVPN_A_PEER_MAX + 1]; + const struct sockaddr_storage *remote = NULL; struct ovpn_priv *ovpn = info->user_ptr[0]; + struct nlattr *attrs[OVPN_A_PEER_MAX + 1]; + struct sockaddr_storage ss = {}; struct ovpn_socket *ovpn_sock; struct socket *sock = NULL; struct ovpn_peer *peer; @@ -411,26 +446,34 @@ int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info) goto peer_release; } - /* Only when using UDP as transport protocol the remote endpoint - * can be configured so that ovpn knows where to send packets to. - */ - if (sk_is_udp(sock->sk) && - !attrs[OVPN_A_PEER_REMOTE_IPV4] && - !attrs[OVPN_A_PEER_REMOTE_IPV6]) { - NL_SET_ERR_MSG_FMT_MOD(info->extack, - "missing remote IP address for UDP socket"); - sockfd_put(sock); - ret = -EINVAL; - goto peer_release; - } + if (ovpn_nl_attr_sockaddr_remote(attrs, &ss)) + remote = &ss; - /* In case of TCP, the socket is connected to the peer and ovpn - * will just send bytes over it, without the need to specify a - * destination. - */ - if (sk_is_tcp(sock->sk) && - (attrs[OVPN_A_PEER_REMOTE_IPV4] || - attrs[OVPN_A_PEER_REMOTE_IPV6])) { + if (sk_is_udp(sock->sk)) { + /* Only when using UDP as transport protocol the remote + * endpoint can be configured so that ovpn knows where to send + * packets to. + */ + if (!remote) { + NL_SET_ERR_MSG_FMT_MOD(info->extack, + "missing remote IP address for UDP socket"); + sockfd_put(sock); + ret = -EINVAL; + goto peer_release; + } + + /* can the socket be used with this remote? */ + ret = ovpn_nl_udp_remote_compatible(sock->sk, remote, + info->extack); + if (ret < 0) { + sockfd_put(sock); + goto peer_release; + } + } else if (remote) { + /* In case of TCP, the socket is connected to the peer and ovpn + * will just send bytes over it, without the need to specify a + * destination. + */ NL_SET_ERR_MSG_FMT_MOD(info->extack, "unexpected remote IP address with TCP socket"); sockfd_put(sock); @@ -456,7 +499,7 @@ int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info) rcu_assign_pointer(peer->sock, ovpn_sock); - ret = ovpn_nl_peer_modify(peer, info, attrs); + ret = ovpn_nl_peer_modify(peer, info, attrs, remote); if (ret < 0) goto sock_release; @@ -483,8 +526,10 @@ int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info) int ovpn_nl_peer_set_doit(struct sk_buff *skb, struct genl_info *info) { - struct nlattr *attrs[OVPN_A_PEER_MAX + 1]; + const struct sockaddr_storage *remote = NULL; struct ovpn_priv *ovpn = info->user_ptr[0]; + struct nlattr *attrs[OVPN_A_PEER_MAX + 1]; + struct sockaddr_storage ss = {}; struct ovpn_socket *sock; struct ovpn_peer *peer; u32 peer_id; @@ -516,22 +561,33 @@ int ovpn_nl_peer_set_doit(struct sk_buff *skb, struct genl_info *info) return -ENOENT; } - /* when using a TCP socket the remote IP is not expected */ + if (ovpn_nl_attr_sockaddr_remote(attrs, &ss)) + remote = &ss; + rcu_read_lock(); sock = rcu_dereference(peer->sock); - if (sock && sock->sk->sk_protocol == IPPROTO_TCP && - (attrs[OVPN_A_PEER_REMOTE_IPV4] || - attrs[OVPN_A_PEER_REMOTE_IPV6])) { - rcu_read_unlock(); - NL_SET_ERR_MSG_FMT_MOD(info->extack, - "unexpected remote IP address with TCP socket"); - ovpn_peer_put(peer); - return -EINVAL; + if (sock && remote) { + if (sk_is_udp(sock->sk)) { + ret = ovpn_nl_udp_remote_compatible(sock->sk, remote, + info->extack); + if (ret < 0) { + rcu_read_unlock(); + ovpn_peer_put(peer); + return ret; + } + } else if (sk_is_tcp(sock->sk)) { + /* when using a TCP socket remote IP is not expected */ + NL_SET_ERR_MSG_FMT_MOD(info->extack, + "unexpected remote IP address with TCP socket"); + rcu_read_unlock(); + ovpn_peer_put(peer); + return -EINVAL; + } } rcu_read_unlock(); spin_lock_bh(&ovpn->lock); - ret = ovpn_nl_peer_modify(peer, info, attrs); + ret = ovpn_nl_peer_modify(peer, info, attrs, remote); if (ret < 0) { spin_unlock_bh(&ovpn->lock); ovpn_peer_put(peer);