From patchwork Fri Nov 14 15:35:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 4598 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6d04:b0:7b1:439f:bdf with SMTP id e4csp1618532may; Fri, 14 Nov 2025 07:35:26 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVuYOtUYxCYXJXmJxR432XKkMCjLcdTPCKQ3RTFsmGk8pLwPL8DJFb/3xp16u5fTyPUoOF4cH5dE3w=@openvpn.net X-Google-Smtp-Source: AGHT+IEEaHy22f2Bq3pD1Ra1k8Gm36Up9o84VBwZw7vuK3ehLGCj8YS4n2nSN5F/QF6nV0dn+5Jh X-Received: by 2002:a05:6871:e7c6:b0:358:f706:d399 with SMTP id 586e51a60fabf-3e86911f35cmr1872088fac.28.1763134526716; Fri, 14 Nov 2025 07:35:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1763134526; cv=none; d=google.com; s=arc-20240605; b=BIbP2ApVBs+Nl+LzLXTwSVSS0r3ADOhdpNoQhr3z4SEoB9zDeLtivceaGe0hav5JNL 6QOzD4FmSQ/ShfF4/7YQhg6/TetQqDjFimJ53FaFS8+zRi2pCmccVu0fkOPngbguvBwu 8wv53T8oDE225XnLKH65i5l/KuR9678yqrSO6ENaOfqqno0yu3sEZC7YiwFUqBmYLZY9 yxmJnKfax6TY+EhTrwNJitbfjVS0+VFx5DIrFVxNxEXFKaR6HSYywXQZqDRREdNiVoIM 3EF2Wl7mhIwV3R/g8gntGW25GSs1HOqlV3/nI42jGs+HtEilbyl6Pbp10kJvABmuyJkK 9f0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=one8Dfiq8gKe9vbAvh4x0iClJHOLd7MDVhoY95hw30k=; fh=ZRBZ3p4fvLYBwsG7McdxRCx2fnmH9YCsPK+JAqT+6LA=; b=asGuwnSYhcxPezy1z6d7S/Q/00U0g/ZCMgHNog9w1p/Q4uxfVyNRerXKKbW7r3OShd 2rTBbTbEGQy76iHdXFGdNMAbDZip+LkjxicyuMbt8mv7Tw0GFBxKhqSpvu1EoIeT/Qwb j0i1jlWJ6v3fG57GaT5uUzpyJ5bO0/uJHxOqlSHrYmhnfvUxadWcKcv+BHIcoloagNP0 CUgY1AjGgVEOgb2PrUsQ/QuAUU0PwbolQSe/WC1HdbredvcgdxqKcHiVMMb9jBOlHyJA Nlx2XaLEA9IBeh+KQ9IPSosjxbQX6u1EscSLMxa9/FSIgwZd8KPVv5RNp6/WPfXxjwyP 6YHg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=abbbVdei; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=aMuYFHyZ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WpHf1j2S; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=GvwhF3LX; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-3e8522df204si2137740fac.270.2025.11.14.07.35.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 14 Nov 2025 07:35:26 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=abbbVdei; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=aMuYFHyZ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WpHf1j2S; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=GvwhF3LX; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-Id:Date:To:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=one8Dfiq8gKe9vbAvh4x0iClJHOLd7MDVhoY95hw30k=; b=abbbVdeiXHwgjXu7YjL8Bs7G3L IF7K6AjamoPMeWvUvmw1fiUnBn6sPjF/FVTItdbOqXbqQxffLM8+E4m9ujR9PNkji/en6mixb+oaU 27DUdFdPY85s9L3lBE+al0uyP1RvFNwi09O0pugSw6CrWiybkBN2sQFNnCo6z4GkvOaY=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vJvpZ-0007Fh-Ay; Fri, 14 Nov 2025 15:35:21 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vJvpW-0007FZ-Nv for openvpn-devel@lists.sourceforge.net; Fri, 14 Nov 2025 15:35:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=MAMTxBKRtow3clH9xX9bIAmRuzOPVx+REJkd4Fu17ig=; b=aMuYFHyZqtBHsyMrPE5TMSn5jf 1P1FEuMYV1p/kVK2DEvi7rGZgGbsC2FCfj3bsmyEf6GIu8k0g1ouowFOJaf93AFaiPzAURVF0jCKo WQvSx4rvc6OAhhKw4lfftVZvGqd3Uf9HLmKlZK19QBLBVe3d9h3KbsP77gZw1SOVU+Bk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=MAMTxBKRtow3clH9xX9bIAmRuzOPVx+REJkd4Fu17ig=; b=WpHf1j2S62DSGjFSivV/O59WES LkYRAympkJGdI76gbnnE+HgdSKsfYwXXhvhgjXWrrtD8p23AlaYYym8iLg0sOpdA2xT9cvZxJzV43 Wflw2azdi3dWBKnrCBjy3iFEm+bNY5qDKMF+R6srz54ZBYn9yynRT45m+svo3+YsiWMM=; Received: from mout-p-101.mailbox.org ([80.241.56.151]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vJvpU-0001Na-UK for openvpn-devel@lists.sourceforge.net; Fri, 14 Nov 2025 15:35:18 +0000 Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4d7Lml30Spz9tPx; Fri, 14 Nov 2025 16:35:03 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1763134503; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MAMTxBKRtow3clH9xX9bIAmRuzOPVx+REJkd4Fu17ig=; b=GvwhF3LX5Hjsv/A7QT8+h3lh9IioGJyr5fk2t7ttDBHHdI0Nj+SEgMfcVXN950wHfx+XM+ yQIrzTl1jwv2kMFyPuZq/GxnzezpsD+nJ//ttIf70+YWB/g+8GRkj9xOeJC2Qe7SXHC/2X bkcQEv7prhUxnqaQSJD5f7Mtzs9b4VvQ8UplLXunk8V23wAgoT8EBeBZ0BTyMjSuGTu568 55ZHoz7djBXc96FiEcmQJFeXSaC4m0iihlzlqAblS5jbyMGBPf29r9QY3J9L1i6/NCgx/W kGJ3dA/TAvsifCRQ+uV/o5Paa7OAECgdVX2DOA1O4kxlR8FobddL70koMj0k3A== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Fri, 14 Nov 2025 16:35:02 +0100 Message-Id: <20251114153502.270804-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov - get rid of atoi() for getting the remote transport port. It doesn't change, so no point to do in on every packet. In addition, atoi() breaks when we use service names as ports. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [80.241.56.151 listed in list.dnswl.org] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1vJvpU-0001Na-UK Subject: [Openvpn-devel] [PATCH v2] recursive routing: fixes and clean-ups X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1848766416039528694?= X-GMAIL-MSGID: =?utf-8?q?1848780549282149291?= From: Lev Stipakov - get rid of atoi() for getting the remote transport port. It doesn't change, so no point to do in on every packet. In addition, atoi() breaks when we use service names as ports. - ensure we correctly handle IPv4 headers with options - directly use buf parameter in place of c->c2.buf GitHub: #902 Change-Id: I8a0a8029da02fc63adc918e8d98e9f676ff4ea0d Signed-off-by: Lev Stipakov Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1377 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1377 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index aa1f858..90e52d2 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1382,15 +1382,24 @@ struct openvpn_sockaddr *link_addr = &c->c2.to_link_addr->dest; struct link_socket_info *lsi = get_link_socket_info(c); - uint16_t link_port = atoi(c->c2.link_sockets[0]->remote_port); int ip_hdr_offset = 0; - int tun_ip_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), &c->c2.buf, &ip_hdr_offset); + int tun_ip_ver = get_tun_ip_ver(TUNNEL_TYPE(c->c1.tuntap), buf, &ip_hdr_offset); if (tun_ip_ver == 4) { - /* make sure we got whole IP header and TCP/UDP src/dst ports */ - if (BLEN(buf) < ((int)sizeof(struct openvpn_iphdr) + ip_hdr_offset + sizeof(uint16_t) * 2)) + /* Ensure we can safely read the IPv4 header */ + const int min_ip_header = ip_hdr_offset + sizeof(struct openvpn_iphdr); + if (BLEN(buf) < min_ip_header) + { + return; + } + + struct openvpn_iphdr *pip = (struct openvpn_iphdr *)(BPTR(buf) + ip_hdr_offset); + const int ip_hlen = OPENVPN_IPH_GET_LEN(pip->version_len); + /* Reject malformed or truncated headers */ + if (ip_hlen < sizeof(struct openvpn_iphdr) + || BLEN(buf) < (int)(ip_hdr_offset + ip_hlen + sizeof(uint16_t) * 2)) { return; } @@ -1401,8 +1410,6 @@ return; } - struct openvpn_iphdr *pip = (struct openvpn_iphdr *)(BPTR(buf) + ip_hdr_offset); - /* skip if tun protocol doesn't match link protocol */ if ((lsi->proto == PROTO_TCP && pip->protocol != OPENVPN_IPPROTO_TCP) || (lsi->proto == PROTO_UDP && pip->protocol != OPENVPN_IPPROTO_UDP)) @@ -1410,9 +1417,10 @@ return; } - /* drop packets with same dest addr and port as remote */ - uint8_t *l4_hdr = (uint8_t *)pip + sizeof(struct openvpn_iphdr); + uint8_t *l4_hdr = (uint8_t *)pip + ip_hlen; + + uint16_t link_port = ntohs(link_addr->addr.in4.sin_port); /* TCP and UDP ports are at the same place in the header, and other protocols * can not happen here due to the lsi->proto check above */ @@ -1420,7 +1428,7 @@ uint16_t dst_port = ntohs(*(uint16_t *)(l4_hdr + sizeof(uint16_t))); if ((memcmp(&link_addr->addr.in4.sin_addr.s_addr, &pip->daddr, sizeof(pip->daddr)) == 0) && (link_port == dst_port)) { - c->c2.buf.len = 0; + buf->len = 0; struct gc_arena gc = gc_new(); msg(D_LOW, "Recursive routing detected, packet dropped %s:%" PRIu16 " -> %s", @@ -1433,7 +1441,8 @@ else if (tun_ip_ver == 6) { /* make sure we got whole IPv6 header and TCP/UDP src/dst ports */ - if (BLEN(buf) < ((int)sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset + sizeof(uint16_t) * 2)) + const int min_ipv6 = ip_hdr_offset + sizeof(struct openvpn_ipv6hdr) + sizeof(uint16_t) * 2; + if (BLEN(buf) < min_ipv6) { return; } @@ -1453,13 +1462,15 @@ return; } + uint16_t link_port = ntohs(link_addr->addr.in6.sin6_port); + /* drop packets with same dest addr and port as remote */ uint8_t *l4_hdr = (uint8_t *)pip6 + sizeof(struct openvpn_ipv6hdr); uint16_t src_port = ntohs(*(uint16_t *)l4_hdr); uint16_t dst_port = ntohs(*(uint16_t *)(l4_hdr + sizeof(uint16_t))); if ((OPENVPN_IN6_ARE_ADDR_EQUAL(&link_addr->addr.in6.sin6_addr, &pip6->daddr)) && (link_port == dst_port)) { - c->c2.buf.len = 0; + buf->len = 0; struct gc_arena gc = gc_new(); msg(D_LOW, "Recursive routing detected, packet dropped %s:%" PRIu16 " -> %s",