[Openvpn-devel] fix(ssl): init peer_id when init tls_multi

Message ID	tencent_C49D67EAA5678D180C293706A9469EFE8307@qq.com
State	New
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Message-ID: <tencent_C49D67EAA5678D180C293706A9469EFE8307@qq.com> From: yatta <ytzhang01@foxmail.com> To: openvpn-devel@lists.sourceforge.net Date: Fri, 20 Oct 2023 01:12:13 +0800 MIME-Version: 1.0 preview: From: pushan When openvpn run in UDP server mode, if ssl connections reach the max clients, the next connection would be failed in `multi_create_instance` and the half connection will be close in `multi_close_inst [...] Content analysis details: (3.7 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [203.205.221.202 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [ytzhang01[at]foxmail.com] 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit [ytzhang01[at]foxmail.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) Subject: [Openvpn-devel] [PATCH] fix(ssl): init peer_id when init tls_multi Precedence: list Cc: pushan <62173185+pushan01@users.noreply.github.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel] fix(ssl): init peer_id when init tls_multi \| expand [Openvpn-devel] fix(ssl): init peer_id when init tls_multi

Message ID

tencent_C49D67EAA5678D180C293706A9469EFE8307@qq.com

State

New

Headers

Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Message-ID: <tencent_C49D67EAA5678D180C293706A9469EFE8307@qq.com>
From: yatta <ytzhang01@foxmail.com>
To: openvpn-devel@lists.sourceforge.net
Date: Fri, 20 Oct 2023 01:12:13 +0800
MIME-Version: 1.0
Subject: [Openvpn-devel] [PATCH] fix(ssl): init peer_id when init tls_multi
Precedence: list
Cc: pushan <62173185+pushan01@users.noreply.github.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

[Openvpn-devel] fix(ssl): init peer_id when init tls_multi | expand

Commit Message

yatta Oct. 19, 2023, 5:12 p.m. UTC

From: pushan <62173185+pushan01@users.noreply.github.com>

When openvpn run in UDP server mode, if ssl connections reach the max clients, the next connection would be failed in `multi_create_instance` and the half connection will be close in `multi_close_instance`, which may lead array `m->instances[0]`  covered unexpectedly and make the first connection  interrupt, this patch fix this problem by init `peer_id` with `MAX_PEER_ID` in `tils_multi_init`.
---
 src/openvpn/ssl.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Arne Schwabe Dec. 6, 2023, 2:28 p.m. UTC | #1

Am 19.10.23 um 19:12 schrieb yatta:
> From: pushan <62173185+pushan01@users.noreply.github.com>
> 
> When openvpn run in UDP server mode, if ssl connections reach the max clients, the next connection would be failed in `multi_create_instance` and the half connection will be close in `multi_close_instance`, which may lead array `m->instances[0]`  covered unexpectedly and make the first connection  interrupt, this patch fix this problem by init `peer_id` with `MAX_PEER_ID` in `tils_multi_init`.

A bit more explanaition on this:

When we create an instance in multi_create_instance we call

inherit_context_child(&mi->context, &m->top);

which in turn calls the tls_multi_init that is patched here.

When I encounter an error during the creation in multi_create_instance 
we call multi_close_instance in the goto err branch. That 
multi_close_instance clears the instance from the dict if the peer_id is 
not MAX_PEER_ID.

We probably should refactor this to be a bit cleaner in the future.

Acked-By: Arne Schwabe <arne@rfc2549.org>

Gert Doering Dec. 6, 2023, 4:57 p.m. UTC | #2

Hi,

On Fri, Oct 20, 2023 at 01:12:13AM +0800, yatta wrote:
> From: yatta <ytzhang01@foxmail.com>
> From: pushan <62173185+pushan01@users.noreply.github.com>

So, we have a patch that fixes a problem and an ACK for it, but for
a proper commit I actually need something like a real name and a
working mail address...

Could you provide a Signed-off-by: line, like what we have on other
commits, for example:

    Signed-off-by: David Sommerseth <davids@openvpn.net>

(this does get relevant in case we end up having to do a license
change again, and wanting to contact contributors...)

thanks,

gert

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 5e6205cc..c4420b2e 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -64,6 +64,7 @@ 
 #include "dco.h"
 
 #include "memdbg.h"
+#include "openvpn.h"
 
 #ifdef MEASURE_TLS_HANDSHAKE_STATS
 
@@ -1312,6 +1313,7 @@  tls_multi_init(struct tls_options *tls_options)
     /* get command line derived options */
     ret->opt = *tls_options;
     ret->dco_peer_id = -1;
+    ret->peer_id = MAX_PEER_ID;
 
     return ret;
 }

[Openvpn-devel] fix(ssl): init peer_id when init tls_multi

Commit Message

Comments

Patch