From patchwork Fri Jul 18 18:55:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4315 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:1914:b0:671:5a2c:6455 with SMTP id g20csp465313maz; Fri, 18 Jul 2025 11:56:18 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUoA1fBBVz5xiPgWPQdSs8j0HNKMNbE5Ib4ddFEZzAFEo+zyG34HPTHtOXyZa0DPefhUSwx1seu2wY=@openvpn.net X-Google-Smtp-Source: AGHT+IGcsoSBwWMPvAjt9/ZO4RkMG9zS3PA4A8yYZBigaOMGER61FSPaOpkw4DVwCIUZ9Ds9mVIP X-Received: by 2002:a05:6870:a99f:b0:2d5:714b:f661 with SMTP id 586e51a60fabf-2ffb225e0e3mr8563176fac.12.1752864978031; Fri, 18 Jul 2025 11:56:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1752864978; cv=none; d=google.com; s=arc-20240605; b=WOLNNrcJeM3d1NHm9fwv76f/ohBmLqPbxJZeneb43qKiStKJmEMnzg7RfHJI4q0fSP Ptc2xWOLi2aAyJVNdhaeU6Vi4kEFitRXCgDIs0e1GKB1P90+AfbWVxz4LDAcfYCOSGCK MFIAvWWF5DnNGEH3LMMcJOVFWdMVbzmSXKAgMn3qdmLzbGyu2eg559HKkOoRI5b7fD3p +ygMf1oMYSUsBowT6Lh2QFhj12NkG1x/ijIhzMe97mWdKjXXYfjtuUkL3p9OG+M2bqBz 4Ss5gqS1F71EA6yt0yVQavfuAy1fe0W3KAIRb6nSsgrCNSC4sUyMz0D3y7GzxA+zMGI7 QxHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=ntER4jgQjO2/Lu1cl2vyGfyJ2eXjyWkqnXtK9GZAVhQ=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=LtUoQtflpWTno5fsMomXFOb0KncI3UBEMUr5tSoVQxdkCx1w76Kz2/XeON3k8rfm9n QB7UCTmrJKJZOn1evAA+Nnka9CLVub3q5skhw6ELO7wi3kN2IhK02v86RsXB/6OVVXA3 gHydhl9N58Ohb3p1KKlLuU4+jW596obfEAWACVj3SUlW+5RdnS9gGiH95doSFyP7O2dt 8SxPn75vXJ09R+s+z6/KYJJs1C+Utql8fgn++W57QnwCdMiZFj5BGHBfUIlOLW55tV03 QRvM+Avrg9O7gJpiwqscuS3PvMhgsjWsV/yL7HcqpB/cFhP3+8S9TithMaqSUopUM/0u b7yQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=ci7rvWRq; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=F4doEXws; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=IMPVXYha; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-3010168b22fsi1060240fac.48.2025.07.18.11.56.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Jul 2025 11:56:18 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=ci7rvWRq; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=F4doEXws; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=IMPVXYha; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=ntER4jgQjO2/Lu1cl2vyGfyJ2eXjyWkqnXtK9GZAVhQ=; b=ci7rvWRq+zNouoZc+iuD4K02mT 4hR2uokxV4PAYwqy/iUIQKImkdKd4v/HFjoHfMOgNJHRVqgFvS9Io93wZfnI0HG49GTcB3ZAk4G4T GMnqeBA/7oTA+4xt8U3ZwoMVMetdsfzmV8mNje9Ll1dvfLhS8n7//XiyFK7lAKWgxmqs=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1ucqFi-0004YK-Eg; Fri, 18 Jul 2025 18:56:14 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1ucqFg-0004YE-NR for openvpn-devel@lists.sourceforge.net; Fri, 18 Jul 2025 18:56:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zt9E0rgW2YqzuzYIm4KBCgRaNEEkb2/FVLUHnhgO2XM=; b=F4doEXws7W7JgXiqcuUyhaOvol Rj+Yp24W4Ffb9jfzlfVNOlvl/dkzdvm7XJZOjEqGHlqc9m7U3u8kYzILEv16JssBSXVc2MO9JHjwW XdoG5T6tSuh5F3fadjkJm/yavQHCx2Xtkw6oXWtChmLQbKm+aehBVna6KUqlQdtKVp98=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zt9E0rgW2YqzuzYIm4KBCgRaNEEkb2/FVLUHnhgO2XM=; b=IMPVXYhaN2PdeOlancyU+mDgze dGOsLz6HCzEpmrr2gwR7t2gzZ1t3P/fr/dEioIVIvB/Ysdfy6svz29UHB2E+YuCFJqTzNvS2UtKvQ 89Q5Dah+/Zs56vJNJXuD2aw2lMk6ejRQRtQQt+nRpFmPMkG4VDG3wMzajkSnhJglPkcE=; Received: from [193.149.48.143] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1ucqFf-0004OM-Ew for openvpn-devel@lists.sourceforge.net; Fri, 18 Jul 2025 18:56:12 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 56IItxJE004543 for ; Fri, 18 Jul 2025 20:55:59 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 56IItx3M004542 for openvpn-devel@lists.sourceforge.net; Fri, 18 Jul 2025 20:55:59 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Fri, 18 Jul 2025 20:55:53 +0200 Message-ID: <20250718185559.4515-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Gianmarco De Gregori Fixed a bug where clients using different transport protocols (UDP, TCP) could interfere with each other after a server restart. The issue occurred when a client reused a previously assigned peer-id t [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1ucqFf-0004OM-Ew Subject: [Openvpn-devel] [PATCH v3] Multi-socket: Fix assert triggered by stale peer-id reuse X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1838012147587717836?= X-GMAIL-MSGID: =?utf-8?q?1838012147587717836?= From: Gianmarco De Gregori Fixed a bug where clients using different transport protocols (UDP, TCP) could interfere with each other after a server restart. The issue occurred when a client reused a previously assigned peer-id that was now associated with a different client using a different transport protocol. For example, a UDP client could send packets with a peer-id now assigned to a TCP client, which lacks a valid context->c2.from which is filled by the recvfrom(), causing an assert to be triggered. A protocol check has been added to prevent packets from different protocols from hijacking active connections. Github: #773 Change-Id: Iecbbcf32c0059f2b16a05333b3794599060d7d6a Signed-off-by: Gianmarco De Gregori Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1078 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 93e65e0..ee8446a 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -216,16 +216,20 @@ if (!peer_id_disabled && (peer_id < m->max_clients) && (m->instances[peer_id])) { - mi = m->instances[peer_id]; - - *floated = !link_socket_actual_match(&mi->context.c2.from, &m->top.c2.from); - - if (*floated) + /* Floating on TCP will never be possible, so ensure we only process + * UDP clients */ + if (m->instances[peer_id]->context.c2.link_sockets[0]->info.proto == sock->info.proto) { - /* reset prefix, since here we are not sure peer is the one it claims to be */ - ungenerate_prefix(mi); - msg(D_MULTI_MEDIUM, "Float requested for peer %" PRIu32 " to %s", peer_id, - mroute_addr_print(&real, &gc)); + mi = m->instances[peer_id]; + *floated = !link_socket_actual_match(&mi->context.c2.from, &m->top.c2.from); + + if (*floated) + { + /* reset prefix, since here we are not sure peer is the one it claims to be */ + ungenerate_prefix(mi); + msg(D_MULTI_MEDIUM, "Float requested for peer %" PRIu32 " to %s", peer_id, + mroute_addr_print(&real, &gc)); + } } } }