From patchwork Fri Jun 5 13:13:08 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralf Lici X-Patchwork-Id: 4992 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:bc1d:b0:861:c897:cb9d with SMTP id jc29csp220922mab; Fri, 5 Jun 2026 06:14:04 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ8Z8yUa8TLRYCzl3YIryGc0aXYl5hQm6kWlwoFM5Qm+gs1pvWLpbi1FCJQ3UI/7pLWFFN0rLz1W3/E=@openvpn.net X-Received: by 2002:a05:6830:6b0f:b0:7e6:f7fb:968b with SMTP id 46e09a7af769-7e70c60de94mr1921718a34.2.1780665244090; Fri, 05 Jun 2026 06:14:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780665244; cv=none; d=google.com; s=arc-20240605; b=BEMZDZfj45u1+ntXeM8ldd8AIu7fKS2poDkZcn3bErZ7G21c/5/4SlXwMHZhtOdQ5k sX+9cZ578j/w8fD08JDxT0VgzxDkUmPkhR/65WaDsxO7j7bKkjoscflSC9W4Plm+dnMZ TjXvKYtZlrF906rKRtUL2FLzvKaU1SkE+z+m6IZFUjHJ9/b9Cgdh+PsWqTAlbgN0wzdL X1DPHcX/jKqqCb4rzcQS7N7Z2MfRNoGH6UV5FQ/oyY8EaTTxorMOA5Q2HKXAUeBKI4C/ b84Zl1gwL67Aj7mXcXSsfn8uUGY8xRvVRCoe7bSq4cnU0K/Wv46EUywTx8y2XNVeh86K sNKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=QtNrnrVtp6HfiGOpP6+9jiAnz2x3CQ4PlpGrQEOHy8I=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=hLzkP7+zuamP94FZ7K52hIZY/ts0pppuVqFBT9iwSPdUNJVj/0D6nmmddOYfGKkjdx ovtwalPSdci7KzHG4hKGgHK7IPimd0r8LkzsCtP+ev4BoXpMPWgK5gX7hoIEQbzzQtM0 9oqGCWKdwpT0pmDkxYOiGJKI5epo5PokDYEmls0YNhbYpXx8wU1ZdpT0mQDKgH0pP7Qz vJof3nmHVSZNbBS+AfvexT9CkXuZ2CeYuRxH3f/VkalXeSMmuMm62jmJI0gTjqztLx4E w03DnC6JShRkzC8Cw7Oo2X6WFCHhZiUS+rKOMpeRkG2dpugayUVXLDL05zH1WC0kB5pf sYRg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=AmkjTVSp; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=MKg3sN93; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="Mvn8/gjk"; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=fTW20Eat; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7e6e746d22bsi6521107a34.39.2026.06.05.06.14.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Jun 2026 06:14:04 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=AmkjTVSp; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=MKg3sN93; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="Mvn8/gjk"; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=fTW20Eat; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=QtNrnrVtp6HfiGOpP6+9jiAnz2x3CQ4PlpGrQEOHy8I=; b=AmkjTVSpQZoCmg7klwfr5NTZo/ XwOynn3R08eiZ5HLgN4sdHlDpgG9EbTlCc5WS9AZpSQXjYIFLjCaIwuNkwMLcIeAr/MISpUN2DBHc AWa/14IhWGBXOKz72waaB/RyE/7fc61maOIz532jiyqQyXN9HSUQ5VtifKgACRClnE7Y=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wVUN4-000230-2G; Fri, 05 Jun 2026 13:13:55 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wVUN2-00022t-NZ for openvpn-devel@lists.sourceforge.net; Fri, 05 Jun 2026 13:13:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=13CwgvKv4O8y99r9I1s32c1cnJH3MX73vUrBwv//sR4=; b=MKg3sN93Y7eiInCbX9lNWgsOcx baKUS9NKIKE4Ao0YyZzkJXmLsBQgruMTFWRaAqw4xzDk3W7rQ+uhjRREMpMiIxvhWTLOA/1dImCMj 2w6wjzXy9c0OdaoSliny0voTdMxkezyZP0P3u8y8kr4OnhOYChyFe4GRxiVePWcYszMI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=13CwgvKv4O8y99r9I1s32c1cnJH3MX73vUrBwv//sR4=; b=Mvn8/gjkeA9Z6Lw8SY12gluv+H Iqp5mSTp96aeFYqjRVBLiDOeH7NYSk6gn9JuT+j/FSnxZQKyGNT4F8aGCv4RPiP0yia8pkP1GX0Qe t33bM5dfPu3qI+CAmKpbJxVx916OIrLj7SF2lLNeOBSUj2TLBQ2kRLnhSO/LYvJRVpAc=; Received: from mout-b-105.mailbox.org ([195.10.208.50]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wVUMy-0006tY-Vw for openvpn-devel@lists.sourceforge.net; Fri, 05 Jun 2026 13:13:54 +0000 Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-105.mailbox.org (Postfix) with ESMTPS id 4gX21w4LrDz9ym6; Fri, 5 Jun 2026 15:13:40 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com; s=MBO0001; t=1780665220; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=13CwgvKv4O8y99r9I1s32c1cnJH3MX73vUrBwv//sR4=; b=fTW20EatsSJZkbWfeA5gWhlMHBa64CSYzO/iLh6z+CpuaoTDLPFcID4qKkipp3NLqDe+IR HKBOMrv/tC/13MW1FasYwwndy5xECz5tW+Y3ck1iqlsZpOuGf2VqubGzlVO5pdlCI4w/i5 B4e49GQX/zxgTX9mx00G/aXRL7tTATMpTHw+AwMT3Sd6pLM4mTZclCqJyPeJxVI19K4yWU ZHYvCf+xSEmCTg0ShAQSD79AQ8g/J2Xwzd8VuA12CNzkg1cinimYU/E1P+OQ0FxN23CsEG EkaEPEYc4RpL63QlEZJm1rIn1Jm883+7MwIWhSlWoqxqZDmf3/im6gLcrt2V8A== From: Ralf Lici To: openvpn-devel@lists.sourceforge.net Date: Fri, 5 Jun 2026 15:13:08 +0200 Message-ID: <97aecfd6a289211b3a1e3ed03ebd80bd896dde9b.1780663425.git.ralf@mandelbit.com> In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: ovpn operates on a userspace-owned UDP socket, which may be manipulated in various ways by userspace. If the socket is never bound, connected, or used for communication, it may not have a source port [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1wVUMy-0006tY-Vw Subject: [Openvpn-devel] [PATCH ovpn net v2 1/4] ovpn: avoid sending UDP packets with source port 0 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1867162839030011115 X-GMAIL-MSGID: 1867162839030011115 ovpn operates on a userspace-owned UDP socket, which may be manipulated in various ways by userspace. If the socket is never bound, connected, or used for communication, it may not have a source port assigned. Similarly, if the socket was connect()'ed to AF_INET or AF_INET6, it can be disconnected by connect() with AF_UNSPEC, which resets the source port unless the socket was explicitly bound. Since we must not transmit packets with source port 0, gate UDP TX on the presence of a valid source port and drop packets otherwise. To avoid ambiguity, sample the current source port once before route lookup and header build and enforce the check on that value. Emit a ratelimited warning when this drop path is hit so the broken socket state is visible. Return local UDP output errors to the common TX completion path so locally dropped packets are not counted as successful transport TX and do not refresh the peer keepalive timer. Fixes: 08857b5ec5d9 ("ovpn: implement basic TX path (UDP)") Signed-off-by: Ralf Lici --- Changes since v1 https://lore.kernel.org/openvpn-devel/20260526124544.425791-1-ralf@mandelbit.com/ - Emit a ratelimited warning when UDP TX sees source port 0. - Make ovpn_udp_send_skb return local UDP output errors instead of freeing the skb internally. - Propagate local UDP TX errors to ovpn_encrypt_post so failed local drops do not update link TX stats or last_sent. - Update UDP TX kdoc to document skb ownership on success/error. drivers/net/ovpn/io.c | 4 +++- drivers/net/ovpn/udp.c | 33 +++++++++++++++++++++++---------- drivers/net/ovpn/udp.h | 4 ++-- 3 files changed, 28 insertions(+), 13 deletions(-) diff --git a/drivers/net/ovpn/io.c b/drivers/net/ovpn/io.c index 22c555dd962e..2ed45f955881 100644 --- a/drivers/net/ovpn/io.c +++ b/drivers/net/ovpn/io.c @@ -282,7 +282,9 @@ void ovpn_encrypt_post(void *data, int ret) switch (sock->sk->sk_protocol) { case IPPROTO_UDP: - ovpn_udp_send_skb(peer, sock->sk, skb); + ret = ovpn_udp_send_skb(peer, sock->sk, skb); + if (unlikely(ret < 0)) + goto err_unlock; break; case IPPROTO_TCP: ovpn_tcp_send_skb(peer, sock->sk, skb); diff --git a/drivers/net/ovpn/udp.c b/drivers/net/ovpn/udp.c index 493a5a0744af..49dc15486043 100644 --- a/drivers/net/ovpn/udp.c +++ b/drivers/net/ovpn/udp.c @@ -149,13 +149,20 @@ static int ovpn_udp4_output(struct ovpn_peer *peer, struct ovpn_bind *bind, struct flowi4 fl = { .saddr = bind->local.ipv4.s_addr, .daddr = bind->remote.in4.sin_addr.s_addr, - .fl4_sport = inet_sk(sk)->inet_sport, + .fl4_sport = READ_ONCE(inet_sk(sk)->inet_sport), .fl4_dport = bind->remote.in4.sin_port, .flowi4_proto = sk->sk_protocol, .flowi4_mark = sk->sk_mark, }; int ret; + /* an uninitialized socket or connect(AF_UNSPEC) can cause this */ + if (unlikely(!fl.fl4_sport)) { + net_warn_ratelimited("%s: peer %u: UDP source port is 0\n", + netdev_name(peer->ovpn->dev), peer->id); + return -EADDRNOTAVAIL; + } + local_bh_disable(); rt = dst_cache_get_ip4(cache, &fl.saddr); if (rt) @@ -226,13 +233,20 @@ static int ovpn_udp6_output(struct ovpn_peer *peer, struct ovpn_bind *bind, struct flowi6 fl = { .saddr = bind->local.ipv6, .daddr = bind->remote.in6.sin6_addr, - .fl6_sport = inet_sk(sk)->inet_sport, + .fl6_sport = READ_ONCE(inet_sk(sk)->inet_sport), .fl6_dport = bind->remote.in6.sin6_port, .flowi6_proto = sk->sk_protocol, .flowi6_mark = sk->sk_mark, .flowi6_oif = bind->remote.in6.sin6_scope_id, }; + /* an uninitialized socket or connect(AF_UNSPEC) can cause this */ + if (unlikely(!fl.fl6_sport)) { + net_warn_ratelimited("%s: peer %u: UDP source port is 0\n", + netdev_name(peer->ovpn->dev), peer->id); + return -EADDRNOTAVAIL; + } + local_bh_disable(); dst = dst_cache_get_ip6(cache, &fl.saddr); if (dst) @@ -289,7 +303,8 @@ static int ovpn_udp6_output(struct ovpn_peer *peer, struct ovpn_bind *bind, * @skb: the packet to send * * rcu_read_lock should be held on entry. - * On return, the skb is consumed. + * On success, the skb is passed to the transport stack and consumed. On + * error, ownership remains with the caller. * * Return: 0 on success or a negative error code otherwise */ @@ -336,21 +351,19 @@ static int ovpn_udp_output(struct ovpn_peer *peer, struct dst_cache *cache, * @peer: the destination peer * @sk: peer socket * @skb: the packet to send + * + * Return: 0 on success or a negative error code otherwise */ -void ovpn_udp_send_skb(struct ovpn_peer *peer, struct sock *sk, - struct sk_buff *skb) +int ovpn_udp_send_skb(struct ovpn_peer *peer, struct sock *sk, + struct sk_buff *skb) { - int ret; - skb->dev = peer->ovpn->dev; skb->mark = READ_ONCE(sk->sk_mark); /* no checksum performed at this layer */ skb->ip_summed = CHECKSUM_NONE; /* crypto layer -> transport (UDP) */ - ret = ovpn_udp_output(peer, &peer->dst_cache, sk, skb); - if (unlikely(ret < 0)) - kfree_skb(skb); + return ovpn_udp_output(peer, &peer->dst_cache, sk, skb); } static void ovpn_udp_encap_destroy(struct sock *sk) diff --git a/drivers/net/ovpn/udp.h b/drivers/net/ovpn/udp.h index fe26fbe25c5a..5b67112162a5 100644 --- a/drivers/net/ovpn/udp.h +++ b/drivers/net/ovpn/udp.h @@ -19,7 +19,7 @@ int ovpn_udp_socket_attach(struct ovpn_socket *ovpn_sock, struct socket *sock, struct ovpn_priv *ovpn); void ovpn_udp_socket_detach(struct ovpn_socket *ovpn_sock); -void ovpn_udp_send_skb(struct ovpn_peer *peer, struct sock *sk, - struct sk_buff *skb); +int ovpn_udp_send_skb(struct ovpn_peer *peer, struct sock *sk, + struct sk_buff *skb); #endif /* _NET_OVPN_UDP_H_ */ From patchwork Fri Jun 5 13:13:09 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralf Lici X-Patchwork-Id: 4995 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:bc1d:b0:861:c897:cb9d with SMTP id jc29csp220930mab; Fri, 5 Jun 2026 06:14:04 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/E+uUw8loZ8pr0H+YlaEbRaETGmM4JFKgorPK93kxxuMJrFWziDZGve5AIKxbSe/nD2/LQFSU3mAw=@openvpn.net X-Received: by 2002:a05:6871:7b09:b0:42c:22ed:165 with SMTP id 586e51a60fabf-4413d240bf9mr2231350fac.3.1780665244275; Fri, 05 Jun 2026 06:14:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780665244; cv=none; d=google.com; s=arc-20240605; b=HMZRMSPYkUttZ4a6s0x3VsP6k4eLGHfK1eWoKje+oJyR+V6aE6Uly/7nIPeTTtDaO2 cPC8dnOg4R+2lJSNGALioyx3SuKeYde0xHetBHEDsWm61BMSVXTw15FZ9qqC6/hNxFQu 4V4FjOk53Inpgit/flPmC/tuvIm5hY9jD+v6g/noRSfT4iDCW6o4zw+eOBXMis+PaAQx D4SPbamFvzktXRgF74I3F7xNCJBsTBNdedorzWT/roEG80zPKx8yAgljYPBc+nhMWMXM Wgnkj/Jf2g9RYFjBsx/F0Df+DiWBm2KxAISrOWezY9kLUU+pbkrfjzwILlaxjeblSVd+ 6U4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=30k2KWITLjl9q0n4dyhm0F8EW1Ys2t16TJryVIKT64w=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=BTa2oo9tMcjwsW/AyRfQ7XDSEI7jOpI20PbOznQVLCyuWrgm78a+HYrhS605lTlpkD BHEUpN4EgIouA1ukER1OEHIC/YPreTsMNrwd0oD1f3NUdqWuAmzuhrjqGN8bUZh7mrkB E9jdMmHromeHQCpfN0FFxZITo8xuUGbUPHzJPwfpHr5NQyYoS5Ton+ysD9vZ9QXzBMvR JydoyhXKC2/5Z/hllJlsPPrX6b38+O1+Ks8fZb57waUQL6BC2EH22c7rrepdXgJ11e4x RKZ5yYCqUionCiaka7H/KeurRQjp8OFVxS+f3NuHGRYV1mMDcUJ9mOdLhoypSGdG+m1v tC2Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=nLgLa0Q8; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=LOxWVn7T; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=FZ1euZY5; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=D8BGUJ3t; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-440d8712918si7092058fac.235.2026.06.05.06.14.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Jun 2026 06:14:04 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=nLgLa0Q8; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=LOxWVn7T; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=FZ1euZY5; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=D8BGUJ3t; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=30k2KWITLjl9q0n4dyhm0F8EW1Ys2t16TJryVIKT64w=; b=nLgLa0Q8b/VWdndcX60XyC/isy USzHDhX7nlaQ9SWcuNphArIuxEO2tu4svQPwIeiBplfBNTrtFboDJfkH9naoAn3Yh8Pjc3YAhC7iy as1S0H7v6XmXAaOf3pmnMzpNJOmNw1kBKc+Isno9GSAGo7F9BVzJV4HTgzs/Gkv+nEtU=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wVUN2-0000bW-4a; Fri, 05 Jun 2026 13:13:56 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wVUMx-0000bM-SE for openvpn-devel@lists.sourceforge.net; Fri, 05 Jun 2026 13:13:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=UJrQxZ0/TFndfRQdP052LfHVdaMrvmF0cq4i49jJRQM=; b=LOxWVn7TEqhoeeu8ShNaWODnjJ ATvZxWkqAB050zyuvsPezpuWGOa/UV4eESYH2CO4yk3rbxtU9oDTZgvXn0H4W99WV5QW4Oe8BCv6Q XEqDnh6wFBLq9hSC6+ayL/mi3Cddx9wLUmyS/mxX7zw6FGhzAABHiXF7FwMSo8C9oAH8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=UJrQxZ0/TFndfRQdP052LfHVdaMrvmF0cq4i49jJRQM=; b=FZ1euZY5aiLjM1wwU89wkSyt7Y bMsjJfgv3FTJ9zIzOkljkBlx6Dj9P7IWyx/a3lC3ercnObYZCg1JqoBhtzm9M1xqPTFiQvqHybm93 Y+4n0GvyoxMWuyws1gSRH1jITxR/ashi3tG9GETLcpvIuRqO1FIkKP7rgNPjbxF/jrMU=; Received: from mout-b-201.mailbox.org ([195.10.208.61]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wVUMw-0006tO-1T for openvpn-devel@lists.sourceforge.net; Fri, 05 Jun 2026 13:13:52 +0000 Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-201.mailbox.org (Postfix) with ESMTPS id 4gX21x5n47zDs62; Fri, 5 Jun 2026 15:13:41 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com; s=MBO0001; t=1780665221; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UJrQxZ0/TFndfRQdP052LfHVdaMrvmF0cq4i49jJRQM=; b=D8BGUJ3teV97K2app5di+/I6RSJ98unOLUZUxXRHORUGoKPVD9Oluz7Dq2VdMoWmsRYFmO FCicxhxXgrMTk9tAOhGQSvj2dLcPTZGBjj23gfnBtdKZqL1GqqWLIe0khZKI1Ur67dqLiA ao87i7Rl4kOwGeyHJJA/7QZElCKmdYgY9L9AqBErtMXiG1VwaL1GEmVGzyPZs404RaoPr+ bn7qtMTixGI0yVA5f+ptTwWPdK3iioTgzotQQ8NC0OT7LE7PE8R92O/Am32aQsCkD3ijct 0O75AUvDJ8B4CYLAq1NptjgQDFk3JQbM4hJSe6iVkKHzeyD++6vMCRctJ0BXlQ== Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of ralf@mandelbit.com designates 2001:67c:2050:b231:465::2 as permitted sender) smtp.mailfrom=ralf@mandelbit.com From: Ralf Lici To: openvpn-devel@lists.sourceforge.net Date: Fri, 5 Jun 2026 15:13:09 +0200 Message-ID: <8e0904081feaec3e49972fa34ace74a9e8c1397f.1780663425.git.ralf@mandelbit.com> In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Queue-Id: 4gX21x5n47zDs62 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: ovpn accepts a userspace-provided socket and attaches transport-specific state to it. The current checks use sk_protocol to select the UDP or TCP attach path, but sk_protocol alone does not identify t [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1wVUMw-0006tO-1T Subject: [Openvpn-devel] [PATCH ovpn net v2 2/4] ovpn: validate sockets before attaching peer transports X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1867162839168717717 X-GMAIL-MSGID: 1867162839168717717 ovpn accepts a userspace-provided socket and attaches transport-specific state to it. The current checks use sk_protocol to select the UDP or TCP attach path, but sk_protocol alone does not identify the socket layout. For example, a raw socket can have sk_protocol set to IPPROTO_UDP while its storage is not a struct udp_sock. Passing such a socket to the UDP attach path would make ovpn read and write udp_sock fields on the wrong object, potentially accessing memory beyond the actual socket storage. Reject sockets unless they are real UDP datagram or TCP stream sockets before attaching them to ovpn in the peer creation path. This lets netlink report a clear error before calling the socket attach helper. Also switch ovpn_socket_new to sk_is_tcp and sk_is_udp, matching the netlink validation performed before the helper is called. This does not change the accepted socket types, but makes the helper's assumptions explicit. Fixes: f6226ae7a0cd ("ovpn: introduce the ovpn_socket object") Fixes: 1d36a36f6d53 ("ovpn: implement peer add/get/dump/delete via netlink") Signed-off-by: Ralf Lici --- No changes since v1 https://lore.kernel.org/openvpn-devel/20260526124544.425791-2-ralf@mandelbit.com/ drivers/net/ovpn/netlink.c | 15 +++++++++++++-- drivers/net/ovpn/socket.c | 16 +++++++++------- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/drivers/net/ovpn/netlink.c b/drivers/net/ovpn/netlink.c index 291e2e5bb450..01ae5a40e31d 100644 --- a/drivers/net/ovpn/netlink.c +++ b/drivers/net/ovpn/netlink.c @@ -400,10 +400,21 @@ int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info) goto peer_release; } + /* sk_protocol is not enough to determine if this is a real UDP or TCP + * socket + */ + if (!sk_is_udp(sock->sk) && !sk_is_tcp(sock->sk)) { + NL_SET_ERR_MSG_FMT_MOD(info->extack, + "socket is not TCP or UDP"); + sockfd_put(sock); + ret = -EOPNOTSUPP; + goto peer_release; + } + /* Only when using UDP as transport protocol the remote endpoint * can be configured so that ovpn knows where to send packets to. */ - if (sock->sk->sk_protocol == IPPROTO_UDP && + if (sk_is_udp(sock->sk) && !attrs[OVPN_A_PEER_REMOTE_IPV4] && !attrs[OVPN_A_PEER_REMOTE_IPV6]) { NL_SET_ERR_MSG_FMT_MOD(info->extack, @@ -417,7 +428,7 @@ int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info) * will just send bytes over it, without the need to specify a * destination. */ - if (sock->sk->sk_protocol == IPPROTO_TCP && + if (sk_is_tcp(sock->sk) && (attrs[OVPN_A_PEER_REMOTE_IPV4] || attrs[OVPN_A_PEER_REMOTE_IPV6])) { NL_SET_ERR_MSG_FMT_MOD(info->extack, diff --git a/drivers/net/ovpn/socket.c b/drivers/net/ovpn/socket.c index 517caa64a4fe..7f34f0f11f13 100644 --- a/drivers/net/ovpn/socket.c +++ b/drivers/net/ovpn/socket.c @@ -126,13 +126,15 @@ static int ovpn_socket_attach(struct ovpn_socket *ovpn_sock, /** * ovpn_socket_new - create a new socket and initialize it - * @sock: the kernel socket to embed + * @sock: the kernel socket to embed; must be a real UDP or TCP socket * @peer: the peer reachable via this socket * * Return: an openvpn socket on success or a negative error code otherwise */ struct ovpn_socket *ovpn_socket_new(struct socket *sock, struct ovpn_peer *peer) { + const bool tcp = sk_is_tcp(sock->sk); + const bool udp = sk_is_udp(sock->sk); struct ovpn_socket *ovpn_sock; struct sock *sk = sock->sk; int ret; @@ -142,7 +144,7 @@ struct ovpn_socket *ovpn_socket_new(struct socket *sock, struct ovpn_peer *peer) /* a TCP socket can only be owned by a single peer, therefore there * can't be any other user */ - if (sk->sk_protocol == IPPROTO_TCP && sk->sk_user_data) { + if (tcp && sk->sk_user_data) { ovpn_sock = ERR_PTR(-EBUSY); goto sock_release; } @@ -150,7 +152,7 @@ struct ovpn_socket *ovpn_socket_new(struct socket *sock, struct ovpn_peer *peer) /* a UDP socket can be shared across multiple peers, but we must make * sure it is not owned by something else */ - if (sk->sk_protocol == IPPROTO_UDP) { + if (udp) { u8 type = READ_ONCE(udp_sk(sk)->encap_type); /* socket owned by other encapsulation module */ @@ -203,11 +205,11 @@ struct ovpn_socket *ovpn_socket_new(struct socket *sock, struct ovpn_peer *peer) /* TCP sockets are per-peer, therefore they are linked to their unique * peer */ - if (sk->sk_protocol == IPPROTO_TCP) { + if (tcp) { INIT_WORK(&ovpn_sock->tcp_tx_work, ovpn_tcp_tx_work); ovpn_sock->peer = peer; ovpn_peer_hold(peer); - } else if (sk->sk_protocol == IPPROTO_UDP) { + } else if (udp) { /* in UDP we only link the ovpn instance since the socket is * shared among multiple peers */ @@ -228,9 +230,9 @@ struct ovpn_socket *ovpn_socket_new(struct socket *sock, struct ovpn_peer *peer) ret = ovpn_socket_attach(ovpn_sock, sock, peer); if (ret < 0) { - if (sk->sk_protocol == IPPROTO_TCP) + if (tcp) ovpn_peer_put(peer); - else if (sk->sk_protocol == IPPROTO_UDP) + else if (udp) netdev_put(peer->ovpn->dev, &ovpn_sock->dev_tracker); sock_put(sk); From patchwork Fri Jun 5 13:13:10 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralf Lici X-Patchwork-Id: 4994 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:bc1d:b0:861:c897:cb9d with SMTP id jc29csp220926mab; Fri, 5 Jun 2026 06:14:04 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/y/OOSnfyRxVE1XkGCuZFyvlUbDsXpNG7MKT2nebC8iuLXpp2vji9ySp2rOme1oEE9lAlGcoL9LWY=@openvpn.net X-Received: by 2002:a05:6820:4cc8:b0:696:13e9:6863 with SMTP id 006d021491bc7-69e6d30001emr894183eaf.2.1780665243875; Fri, 05 Jun 2026 06:14:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780665243; cv=none; d=google.com; s=arc-20240605; b=N2EHskRfE3Uwdiwqa4Y2GPyJbFjWD93BY5epUudza8taTz6a6i+cDJrxpEqJEc/jum 6D1NptpRkhx6EX/zvNRlvNdxHd6Xdum1FjlOGdHMPC1INI4trvg3wF3aNCiNWHq7e92G +zn0e4Wgepb7APtZ/4VHe4UJXVAMaOAQjDCfa5BNFUONmJtVPK8gPEOpL+NlK6jjJ6F9 g7fYj4HwBg8bW1o3G5yTD+C6n0rv8eTHZ18TJwDkj8gVawv6HeSZt36Om3hNIJvjd+Im 5MLEDc/SB8xBlPhqMUTiGNzSAD0uS6b6y9lsxpJyb0P1fB8GYjWNeAL9PnmWSJ+Fhshs k10w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=9whYV3I2D9sncm0YSwPmLsw37+1QF2SCrCak4Zfrrpc=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=DflwuDAqYjAD/eYFqOzUxdg0qsN/dL8CKh65bdCajFW4GLQRXEw1k2lixhGIzpwGyg F5RcIk+3e8Wwm5O84fm0ZGD4YmTITJN3+Hxa+17QleNn8P4rZybGUr/BzT6yTTEoOZWe Qc+M9cl4o5vPUpF5UcCYZPm9K3xxdTcpNdpE8Y9ZiW0DydxtVNvOpDg5GO8Um4YE9T51 /iMYbado3qFzeaXZr8t+VPNBHMm1PvgSIgUD0EJgGpvud+o8W85Suu2sSoI9Op6c4Kqk hZdLYPF0Im7gqvtC/yFLllOHKfJTkHL6FFwMXpPokgknfMgsduQPA90dkI98ycBR3RVX va1g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=JC7pyrQ8; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Q3CSiP5v; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=CFD+GIf7; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=eErxqmZw; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 006d021491bc7-69e46249262si5440625eaf.9.2026.06.05.06.14.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Jun 2026 06:14:03 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=JC7pyrQ8; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Q3CSiP5v; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=CFD+GIf7; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=eErxqmZw; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=9whYV3I2D9sncm0YSwPmLsw37+1QF2SCrCak4Zfrrpc=; b=JC7pyrQ8d1OVVkEVazh4pCv15u 8VmvtyIVzPLDfgPefXA8RBRdhIYwNNu6lmzTp8T2ttGJqBNMKuqzTcpePGC0//w8WjUg2zJbkeRtS ilBITElLJEtLHkOHrTcWszD+oYrpHa2Czgoo0srmgeULB4t9RJll6CP3w21R4Y43FRb0=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wVUN5-0008W5-Q3; Fri, 05 Jun 2026 13:14:00 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wVUN4-0008Vo-0D for openvpn-devel@lists.sourceforge.net; Fri, 05 Jun 2026 13:13:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=j9uEFeB5lXZ9wK9WAegMcuNlQwrvbaZtYgW0H+0x8PU=; b=Q3CSiP5vIulkKPILOP/NMaRumZ nq3LI/e/KFwYxbGCKg5UvsiNev2SqFTxSlQQ25CABZBWqHr7KAzh9zwE3GrpMeE19O6RcAfWYX5UW PQUdoxSRfliAsg38158Bb5+Hag5sSNvU8Pp6dTCCg6axnWspiVvF4nPmvhgyjdAT1ua4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=j9uEFeB5lXZ9wK9WAegMcuNlQwrvbaZtYgW0H+0x8PU=; b=CFD+GIf7DsRJpLHGzGeXHfQ+Pn OycjS6EJcca6q0Dc1WyVKUMp5htdbCP68UkeMLFZl5BW62Vf+fFjf4Q6duSBmj2HcK3rRzIvd1xB6 p5m4RySnB5gpIZQrnLSwYKrSPR0CIMqBxjV92xUdAv6B8qfsCKQDTGMnq5JoHw3gTilQ=; Received: from mout-b-206.mailbox.org ([195.10.208.51]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wVUN1-0006td-IL for openvpn-devel@lists.sourceforge.net; Fri, 05 Jun 2026 13:13:58 +0000 Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-206.mailbox.org (Postfix) with ESMTPS id 4gX21z2TrRz9xds; Fri, 5 Jun 2026 15:13:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com; s=MBO0001; t=1780665223; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j9uEFeB5lXZ9wK9WAegMcuNlQwrvbaZtYgW0H+0x8PU=; b=eErxqmZwNlJmNeuEu5JXGmso3k2v5MQ7jj7W6vLYYOmZbx+jtgzbkrY6GOS/s6iexn+N+Y fQFabZKiSTEbf7ekU9spBluGf+tgoZnPWilJ85ec7QtXYn1ETRnp70ot8ATfLyqIWQ1S9K JjxFatupfqrxJjmdat4e988hN4fyICQ+jhXwyc70tsXOlcMOcmg/3yMrY0r/F3lfxmaxQz M+K2WDPrDEsddihl/9Ib5doheT2gxytr+neX3htz2akFvIcB0qRCzi/sd2rPeC3hoOewwX jk/mkKusrSHfiOJl2HlhzTWToLiA8hy9tvYAp2mDrJjeeZcZZb9bo8ueDgr7OA== Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of ralf@mandelbit.com designates 2001:67c:2050:b231:465::2 as permitted sender) smtp.mailfrom=ralf@mandelbit.com From: Ralf Lici To: openvpn-devel@lists.sourceforge.net Date: Fri, 5 Jun 2026 15:13:10 +0200 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Queue-Id: 4gX21z2TrRz9xds X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: ovpn accepts a userspace-provided socket and a peer remote endpoint through netlink. For UDP peers, the remote endpoint family selects the transmit path used later by ovpn_udp_output. Reject UDP peer remotes that are incompatible with the socket state when they are configured through netlink. An IPv4 UDP socket cannot be used with an IPv6 remote endpoint, and an IPv6-only UDP socke [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1wVUN1-0006td-IL Subject: [Openvpn-devel] [PATCH ovpn net v2 3/4] ovpn: reject UDP remotes incompatible with socket family X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1867162838566952259 X-GMAIL-MSGID: 1867162838566952259 ovpn accepts a userspace-provided socket and a peer remote endpoint through netlink. For UDP peers, the remote endpoint family selects the transmit path used later by ovpn_udp_output. Reject UDP peer remotes that are incompatible with the socket state when they are configured through netlink. An IPv4 UDP socket cannot be used with an IPv6 remote endpoint, and an IPv6-only UDP socket cannot send to an IPv4 remote endpoint. Reporting this at setup time gives userspace a clear extack and avoids installing a peer that would immediately be unable to transmit. This validation only covers the socket state visible while the netlink request is handled. The socket remains owned by userspace after it is attached to ovpn, so userspace can later change properties such as IPV6_V6ONLY or IPV6_ADDRFORM. The transmit path therefore still has to re-check socket/remote compatibility before sending. Parse the remote endpoint once in the peer new/set paths and reject UDP remotes when the provided socket cannot send to them. Pass the parsed endpoint into the common peer modify helper so the validation and the stored endpoint use the same normalized sockaddr. Fixes: 1d36a36f6d53 ("ovpn: implement peer add/get/dump/delete via netlink") Signed-off-by: Ralf Lici --- Changes since v1 https://lore.kernel.org/openvpn-devel/20260526124544.425791-3-ralf@mandelbit.com/ - Reword the commit message to clarify that netlink validation is only setup-time diagnostics. - Use a single READ_ONCE snapshot of sk->sk_family in ovpn_nl_udp_remote_compatible. drivers/net/ovpn/netlink.c | 132 ++++++++++++++++++++++++++----------- 1 file changed, 94 insertions(+), 38 deletions(-) diff --git a/drivers/net/ovpn/netlink.c b/drivers/net/ovpn/netlink.c index 01ae5a40e31d..bcef99534294 100644 --- a/drivers/net/ovpn/netlink.c +++ b/drivers/net/ovpn/netlink.c @@ -271,15 +271,17 @@ static int ovpn_nl_peer_precheck(struct ovpn_priv *ovpn, * @peer: the peer to modify * @info: generic netlink info from the user request * @attrs: the attributes from the user request + * @remote: remote address, if provided * * Return: a negative error code in case of failure, 0 on success or 1 on * success and the VPN IPs have been modified (requires rehashing in MP * mode) */ static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info, - struct nlattr **attrs) + struct nlattr **attrs, + const struct sockaddr_storage *remote) { - struct sockaddr_storage ss = {}; + struct sockaddr_storage empty_remote = {}; void *local_ip = NULL; u32 interv, timeout; bool rehash = false; @@ -287,15 +289,15 @@ static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info, spin_lock_bh(&peer->lock); - if (ovpn_nl_attr_sockaddr_remote(attrs, &ss)) { + if (remote) { /* we carry the local IP in a generic container. * ovpn_peer_reset_sockaddr() will properly interpret it - * based on ss.ss_family + * based on remote->ss_family */ local_ip = ovpn_nl_attr_local_ip(attrs); /* set peer sockaddr */ - ret = ovpn_peer_reset_sockaddr(peer, &ss, local_ip); + ret = ovpn_peer_reset_sockaddr(peer, remote, local_ip); if (ret < 0) { NL_SET_ERR_MSG_FMT_MOD(info->extack, "cannot set peer sockaddr: %d", @@ -333,7 +335,7 @@ static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info, netdev_dbg(peer->ovpn->dev, "modify peer id=%u tx_id=%u endpoint=%pIScp VPN-IPv4=%pI4 VPN-IPv6=%pI6c\n", - peer->id, peer->tx_id, &ss, + peer->id, peer->tx_id, remote ?: &empty_remote, &peer->vpn_addrs.ipv4.s_addr, &peer->vpn_addrs.ipv6); spin_unlock_bh(&peer->lock); @@ -344,10 +346,43 @@ static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info, return ret; } +/** + * ovpn_nl_udp_remote_compatible - check if a UDP socket can use a remote + * @sk: UDP socket to validate + * @remote: remote endpoint to validate against the socket + * @extack: netlink extended ACK for reporting validation errors + * + * Return: 0 if the remote endpoint is compatible with the socket or a negative + * error code otherwise. + */ +static int ovpn_nl_udp_remote_compatible(const struct sock *sk, + const struct sockaddr_storage *remote, + struct netlink_ext_ack *extack) +{ + const unsigned short sock_family = READ_ONCE(sk->sk_family); + + if (sock_family == AF_INET && remote->ss_family == AF_INET6) { + NL_SET_ERR_MSG_FMT_MOD(extack, + "UDP socket is IPv4 but remote is IPv6"); + return -EAFNOSUPPORT; + } + + if (sock_family == AF_INET6 && ipv6_only_sock(sk) && + remote->ss_family == AF_INET) { + NL_SET_ERR_MSG_FMT_MOD(extack, + "UDP socket is IPv6-only but remote is IPv4"); + return -EAFNOSUPPORT; + } + + return 0; +} + int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info) { - struct nlattr *attrs[OVPN_A_PEER_MAX + 1]; + const struct sockaddr_storage *remote = NULL; struct ovpn_priv *ovpn = info->user_ptr[0]; + struct nlattr *attrs[OVPN_A_PEER_MAX + 1]; + struct sockaddr_storage ss = {}; struct ovpn_socket *ovpn_sock; struct socket *sock = NULL; struct ovpn_peer *peer; @@ -411,26 +446,34 @@ int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info) goto peer_release; } - /* Only when using UDP as transport protocol the remote endpoint - * can be configured so that ovpn knows where to send packets to. - */ - if (sk_is_udp(sock->sk) && - !attrs[OVPN_A_PEER_REMOTE_IPV4] && - !attrs[OVPN_A_PEER_REMOTE_IPV6]) { - NL_SET_ERR_MSG_FMT_MOD(info->extack, - "missing remote IP address for UDP socket"); - sockfd_put(sock); - ret = -EINVAL; - goto peer_release; - } + if (ovpn_nl_attr_sockaddr_remote(attrs, &ss)) + remote = &ss; - /* In case of TCP, the socket is connected to the peer and ovpn - * will just send bytes over it, without the need to specify a - * destination. - */ - if (sk_is_tcp(sock->sk) && - (attrs[OVPN_A_PEER_REMOTE_IPV4] || - attrs[OVPN_A_PEER_REMOTE_IPV6])) { + if (sk_is_udp(sock->sk)) { + /* Only when using UDP as transport protocol the remote + * endpoint can be configured so that ovpn knows where to send + * packets to. + */ + if (!remote) { + NL_SET_ERR_MSG_FMT_MOD(info->extack, + "missing remote IP address for UDP socket"); + sockfd_put(sock); + ret = -EINVAL; + goto peer_release; + } + + /* can the socket be used with this remote? */ + ret = ovpn_nl_udp_remote_compatible(sock->sk, remote, + info->extack); + if (ret < 0) { + sockfd_put(sock); + goto peer_release; + } + } else if (remote) { + /* In case of TCP, the socket is connected to the peer and ovpn + * will just send bytes over it, without the need to specify a + * destination. + */ NL_SET_ERR_MSG_FMT_MOD(info->extack, "unexpected remote IP address with TCP socket"); sockfd_put(sock); @@ -456,7 +499,7 @@ int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info) rcu_assign_pointer(peer->sock, ovpn_sock); - ret = ovpn_nl_peer_modify(peer, info, attrs); + ret = ovpn_nl_peer_modify(peer, info, attrs, remote); if (ret < 0) goto sock_release; @@ -483,8 +526,10 @@ int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info) int ovpn_nl_peer_set_doit(struct sk_buff *skb, struct genl_info *info) { - struct nlattr *attrs[OVPN_A_PEER_MAX + 1]; + const struct sockaddr_storage *remote = NULL; struct ovpn_priv *ovpn = info->user_ptr[0]; + struct nlattr *attrs[OVPN_A_PEER_MAX + 1]; + struct sockaddr_storage ss = {}; struct ovpn_socket *sock; struct ovpn_peer *peer; u32 peer_id; @@ -516,22 +561,33 @@ int ovpn_nl_peer_set_doit(struct sk_buff *skb, struct genl_info *info) return -ENOENT; } - /* when using a TCP socket the remote IP is not expected */ + if (ovpn_nl_attr_sockaddr_remote(attrs, &ss)) + remote = &ss; + rcu_read_lock(); sock = rcu_dereference(peer->sock); - if (sock && sock->sk->sk_protocol == IPPROTO_TCP && - (attrs[OVPN_A_PEER_REMOTE_IPV4] || - attrs[OVPN_A_PEER_REMOTE_IPV6])) { - rcu_read_unlock(); - NL_SET_ERR_MSG_FMT_MOD(info->extack, - "unexpected remote IP address with TCP socket"); - ovpn_peer_put(peer); - return -EINVAL; + if (sock && remote) { + if (sk_is_udp(sock->sk)) { + ret = ovpn_nl_udp_remote_compatible(sock->sk, remote, + info->extack); + if (ret < 0) { + rcu_read_unlock(); + ovpn_peer_put(peer); + return ret; + } + } else if (sk_is_tcp(sock->sk)) { + /* when using a TCP socket remote IP is not expected */ + NL_SET_ERR_MSG_FMT_MOD(info->extack, + "unexpected remote IP address with TCP socket"); + rcu_read_unlock(); + ovpn_peer_put(peer); + return -EINVAL; + } } rcu_read_unlock(); spin_lock_bh(&ovpn->lock); - ret = ovpn_nl_peer_modify(peer, info, attrs); + ret = ovpn_nl_peer_modify(peer, info, attrs, remote); if (ret < 0) { spin_unlock_bh(&ovpn->lock); ovpn_peer_put(peer); From patchwork Fri Jun 5 13:13:11 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralf Lici X-Patchwork-Id: 4993 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:bc1d:b0:861:c897:cb9d with SMTP id jc29csp220923mab; Fri, 5 Jun 2026 06:14:04 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ8eB1ypzDwdREV/QAvArERy6lYpWD95Kla91lBdys1Vc+QRvkQKT67iucNdOBq8nOoZEU4hhQhHu58=@openvpn.net X-Received: by 2002:a4a:edce:0:b0:69e:41d8:f7e8 with SMTP id 006d021491bc7-69e68b08111mr1877684eaf.7.1780665244153; Fri, 05 Jun 2026 06:14:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780665244; cv=none; d=google.com; s=arc-20240605; b=RIssb6UTVfmm7tjQ3KJRJL+DHs3boIyI3S0EuVZP0uICZkxIa0hiGnFex+G/gEYyEa bX/aj0ns9LQtOD1R+RaB6yYZaHnMdx9DWJjRwV2TrFC1ZjE+R2HhIXzS8m2z83hJiFC+ 2sLhWFBw0Mro7nMNHuBhuX3OYL1wcpsw7FYTUFCzt9pPNikThKiSHNxL9arA+fIj37AK Lenr99Xgmj9giIu9KtX9E2BOd0WezH7nc6ay3RnZAs19lzjRLtB6LIe+CrP5/JtWdrSU qSZLZcyRuWY3ZsEgTdjThHfhVT2OtrCvM4EuwzUW+WuZY2WU6omvPq3TD1SZGE1ApDM+ NNew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=gkWFWc5EbMMrMwBYUjGRgFtbl436dEapzTtMcCOm3eE=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=O6Fb1wwnGPk9wn9OvSMU/mnEmjAtlL1Px4v7X3kz6g2zI3X65LQHdsaofciS7q5Lrk sCQJoW60kwj0611+c7LQC2QgjO0IEgcS8s7hBXSiurG5AHcc9Gr4zl9dgmluNzsZtH7d HxJnurbaJxXTo6fLK1mfEDuVqqJU3WVCWz/wg8cYlTjAbjkEbRWPQrfp0TAvrOc5/jgL QnXQfMPRXnyeBdsnROwijagQN9/4ERp0XFBsn6fFJierw+HGk2DTZZeQRAD2fl1590TT Xy9QOszrXAcZRsBjrEkCLdN0I3COsIhnNOM3/j1Q1DI39Bu3S0uu9zDJIRBOTrVQH2Gk boOw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=fBqfNqIp; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=exB90ssp; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=iSFniiJE; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=AskJCl2v; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-440d86a0c13si6875943fac.192.2026.06.05.06.14.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Jun 2026 06:14:04 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=fBqfNqIp; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=exB90ssp; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=iSFniiJE; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=AskJCl2v; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=gkWFWc5EbMMrMwBYUjGRgFtbl436dEapzTtMcCOm3eE=; b=fBqfNqIpqpQJK+XA7HB2S1Hs2W QFJNvpnXzARBA4RJeYG4c7wytKX5POwjOIOhgIf2OYWArdkC9528oLK0fe7luiuB0dBwsPgeyRjrB MX7U1UzeN/lLV9rSz6gmViQinVRTyV5liYWrVRfL39sX8Z95eFirRqB/hQYXrN+RlV2A=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wVUN2-000401-Au; Fri, 05 Jun 2026 13:13:56 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wVUN0-0003zt-8I for openvpn-devel@lists.sourceforge.net; Fri, 05 Jun 2026 13:13:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=LMMMXx47Y3DKcxWHWxHKwB9aeLz4StXP7FFIG0zUupE=; b=exB90sspW58qLvdxpwYMnXqiNO WXmIBKnMDlUg5PlA7UXz1GZubEJR62c6TuJhKsVcyEMRTp7reeY98UqBOuQw05dimWHj5z5Bg7Ke0 HkxHj2oIkizoQCsfCpoujNCTXtlWssgTaA7jz1/AIoNFHza3iYBOptv3H2nq2BfEoNeA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=LMMMXx47Y3DKcxWHWxHKwB9aeLz4StXP7FFIG0zUupE=; b=iSFniiJE/tDam7IykJ1Y1tK1RR sLq3Wx5b1L8M8ItNUlPxos44Bb9cixQD0mDO139efi7rad2nu6gDg14t7keHZsJYL31JIjMPXq092 lPyE0cRhahnDz7vNSkbYTjXzwbubij1jfLdPzzwYAFsMKKzEg0xFFzbZYpcaQjaWvrd0=; Received: from mout-b-206.mailbox.org ([195.10.208.51]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wVUMy-0006tX-Q8 for openvpn-devel@lists.sourceforge.net; Fri, 05 Jun 2026 13:13:54 +0000 Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-206.mailbox.org (Postfix) with ESMTPS id 4gX22065nfz9xHb; Fri, 5 Jun 2026 15:13:44 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com; s=MBO0001; t=1780665224; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LMMMXx47Y3DKcxWHWxHKwB9aeLz4StXP7FFIG0zUupE=; b=AskJCl2vxCrEv5JlYETYEyw+rqaieD4xB47Dhe0I+bFe+LiaaqFUfO2tzq4COSkWxrM6+K 9IqTt9tc3wVFfiIDzEUJT/013xWS2aCipnMR7dIJgBNmuhYGDCvGzP3dHuzqYHKRe6RxKC cXPDcQAMjX9p9OKQtyl/+nwJn5AjQwsKdDKgTBTwy8WQGPjza2uP/fEl0w2P3sSIEd4rYX q9RoIXJffNjzb3U8Ixkuypi/LDvgiH2Ur82ScTRw4NbCT2JfxlLVYml/2fsajLwZ0gEEX0 Y6ZbnMTB5FRq3ODcH3PXVXLpXadUKF+1WXYVwBh2uswLc6rDTUr9yxKr6vaynw== From: Ralf Lici To: openvpn-devel@lists.sourceforge.net Date: Fri, 5 Jun 2026 15:13:11 +0200 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: ovpn validates UDP peer remotes against the socket family when the remote endpoint is configured through netlink. The socket itself, however, remains owned by userspace and some socket options can sti [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1wVUMy-0006tX-Q8 Subject: [Openvpn-devel] [PATCH ovpn net v2 4/4] ovpn: recheck UDP socket family before transmit X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1867162838568606316 X-GMAIL-MSGID: 1867162838568606316 ovpn validates UDP peer remotes against the socket family when the remote endpoint is configured through netlink. The socket itself, however, remains owned by userspace and some socket options can still change the family seen by the transmit path. For example, IPV6_ADDRFORM can turn an AF_INET6 socket into AF_INET after ovpn accepted an IPv6 remote. Conversely, IPV6_V6ONLY can make a dual-stack AF_INET6 socket unable to send to an IPv4 remote. Recheck the socket family in ovpn_udp_output before selecting the UDP transmit path. When the peer remote family no longer matches the socket state, emit a ratelimited warning, drop the packet with -EAFNOSUPPORT and delete the peer with TRANSPORT_ERROR. Peer deletion is deferred through a common transport-error work item, because the UDP transmit path can run from non-sleepable contexts while ovpn_peer_del may release sockets and sleep. Use the same helper for TCP transport errors instead of keeping a TCP-only deferred delete work item. Fixes: 08857b5ec5d9 ("ovpn: implement basic TX path (UDP)") Signed-off-by: Ralf Lici --- Changes since v1 https://lore.kernel.org/openvpn-devel/20260526124544.425791-4-ralf@mandelbit.com/ - Emit ratelimited warnings when UDP TX detects a socket/remote address family mismatch. - Delete the peer with TRANSPORT_ERROR on UDP socket/remote family mismatches, using deferred work because TX can run from non-sleepable contexts. - Move the TCP deferred transport-error deletion work into a common ovpn_peer_del_transport_error helper and reuse it from TCP and UDP. - Read sk->sk_family once before selecting the UDP TX path. - Fix the IPV6_V6ONLY comment typo. drivers/net/ovpn/peer.c | 19 +++++++++++++++++++ drivers/net/ovpn/peer.h | 5 +++-- drivers/net/ovpn/tcp.c | 21 +++------------------ drivers/net/ovpn/udp.c | 24 +++++++++++++++++++++--- 4 files changed, 46 insertions(+), 23 deletions(-) diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c index c02dfab51a6e..8411a4ac85d6 100644 --- a/drivers/net/ovpn/peer.c +++ b/drivers/net/ovpn/peer.c @@ -82,6 +82,24 @@ static void ovpn_peer_keepalive_send(struct work_struct *work) local_bh_enable(); } +static void ovpn_peer_transport_error_work(struct work_struct *work) +{ + struct ovpn_peer *peer = container_of(work, struct ovpn_peer, + transport_error_work); + + ovpn_peer_del(peer, OVPN_DEL_PEER_REASON_TRANSPORT_ERROR); + ovpn_peer_put(peer); +} + +void ovpn_peer_del_transport_error(struct ovpn_peer *peer) +{ + if (WARN_ON(!ovpn_peer_hold(peer))) + return; + + if (!schedule_work(&peer->transport_error_work)) + ovpn_peer_put(peer); +} + /** * ovpn_peer_new - allocate and initialize a new peer object * @ovpn: the openvpn instance inside which the peer should be created @@ -115,6 +133,7 @@ struct ovpn_peer *ovpn_peer_new(struct ovpn_priv *ovpn, u32 id) kref_init(&peer->refcount); ovpn_peer_stats_init(&peer->vpn_stats); ovpn_peer_stats_init(&peer->link_stats); + INIT_WORK(&peer->transport_error_work, ovpn_peer_transport_error_work); INIT_WORK(&peer->keepalive_work, ovpn_peer_keepalive_send); ret = dst_cache_init(&peer->dst_cache, GFP_KERNEL); diff --git a/drivers/net/ovpn/peer.h b/drivers/net/ovpn/peer.h index 328401570cba..1b8142919da6 100644 --- a/drivers/net/ovpn/peer.h +++ b/drivers/net/ovpn/peer.h @@ -59,6 +59,7 @@ * @refcount: reference counter * @rcu: used to free peer in an RCU safe way * @release_entry: entry for the socket release list + * @transport_error_work: work used to delete peer on transport error * @keepalive_work: used to schedule keepalive sending */ struct ovpn_peer { @@ -94,8 +95,6 @@ struct ovpn_peer { struct proto *prot; const struct proto_ops *ops; } sk_cb; - - struct work_struct defer_del_work; } tcp; struct ovpn_crypto_state crypto; struct dst_cache dst_cache; @@ -113,6 +112,7 @@ struct ovpn_peer { struct kref refcount; struct rcu_head rcu; struct llist_node release_entry; + struct work_struct transport_error_work; struct work_struct keepalive_work; }; @@ -142,6 +142,7 @@ static inline void ovpn_peer_put(struct ovpn_peer *peer) struct ovpn_peer *ovpn_peer_new(struct ovpn_priv *ovpn, u32 id); int ovpn_peer_add(struct ovpn_priv *ovpn, struct ovpn_peer *peer); int ovpn_peer_del(struct ovpn_peer *peer, enum ovpn_del_peer_reason reason); +void ovpn_peer_del_transport_error(struct ovpn_peer *peer); void ovpn_peers_free(struct ovpn_priv *ovpn, struct sock *sock, enum ovpn_del_peer_reason reason); diff --git a/drivers/net/ovpn/tcp.c b/drivers/net/ovpn/tcp.c index 65054cc84be5..e98e253a3f5a 100644 --- a/drivers/net/ovpn/tcp.c +++ b/drivers/net/ovpn/tcp.c @@ -148,10 +148,7 @@ static void ovpn_tcp_rcv(struct strparser *strp, struct sk_buff *skb) ovpn_recv(peer, skb); return; err: - /* take reference for deferred peer deletion. should never fail */ - if (WARN_ON(!ovpn_peer_hold(peer))) - goto err_nopeer; - schedule_work(&peer->tcp.defer_del_work); + ovpn_peer_del_transport_error(peer); dev_dstats_rx_dropped(peer->ovpn->dev); err_nopeer: kfree_skb(skb); @@ -239,7 +236,7 @@ void ovpn_tcp_socket_wait_finish(struct ovpn_socket *sock) { struct ovpn_peer *peer = sock->peer; - /* NOTE: we don't wait for peer->tcp.defer_del_work to finish: + /* NOTE: we don't wait for peer->transport_error_work to finish: * either the worker is not running or this function * was invoked by that worker. */ @@ -282,8 +279,7 @@ static void ovpn_tcp_send_sock(struct ovpn_peer *peer, struct sock *sk) /* in case of TCP error we can't recover the VPN * stream therefore we abort the connection */ - ovpn_peer_hold(peer); - schedule_work(&peer->tcp.defer_del_work); + ovpn_peer_del_transport_error(peer); /* we bail out immediately and keep tx_in_progress set * to true. This way we prevent more TX attempts @@ -496,15 +492,6 @@ static void ovpn_tcp_build_protos(struct proto *new_prot, const struct proto *orig_prot, const struct proto_ops *orig_ops); -static void ovpn_tcp_peer_del_work(struct work_struct *work) -{ - struct ovpn_peer *peer = container_of(work, struct ovpn_peer, - tcp.defer_del_work); - - ovpn_peer_del(peer, OVPN_DEL_PEER_REASON_TRANSPORT_ERROR); - ovpn_peer_put(peer); -} - /* Set TCP encapsulation callbacks */ int ovpn_tcp_socket_attach(struct ovpn_socket *ovpn_sock, struct ovpn_peer *peer) @@ -537,8 +524,6 @@ int ovpn_tcp_socket_attach(struct ovpn_socket *ovpn_sock, goto err; } - INIT_WORK(&peer->tcp.defer_del_work, ovpn_tcp_peer_del_work); - __sk_dst_reset(ovpn_sock->sk); skb_queue_head_init(&peer->tcp.user_queue); skb_queue_head_init(&peer->tcp.out_queue); diff --git a/drivers/net/ovpn/udp.c b/drivers/net/ovpn/udp.c index 49dc15486043..b8aa7e47df8e 100644 --- a/drivers/net/ovpn/udp.c +++ b/drivers/net/ovpn/udp.c @@ -311,6 +311,7 @@ static int ovpn_udp6_output(struct ovpn_peer *peer, struct ovpn_bind *bind, static int ovpn_udp_output(struct ovpn_peer *peer, struct dst_cache *cache, struct sock *sk, struct sk_buff *skb) { + unsigned short sock_family; struct ovpn_bind *bind; int ret; @@ -327,18 +328,35 @@ static int ovpn_udp_output(struct ovpn_peer *peer, struct dst_cache *cache, goto out; } + sock_family = READ_ONCE(sk->sk_family); + ret = -EAFNOSUPPORT; switch (bind->remote.in4.sin_family) { case AF_INET: + /* userspace might have set IPV6_V6ONLY */ + if (unlikely(sock_family == AF_INET6 && ipv6_only_sock(sk))) { + net_warn_ratelimited("%s: peer %u: IPv4 remote, IPv6-only socket\n", + netdev_name(peer->ovpn->dev), + peer->id); + ovpn_peer_del_transport_error(peer); + break; + } + ret = ovpn_udp4_output(peer, bind, cache, sk, skb); break; #if IS_ENABLED(CONFIG_IPV6) case AF_INET6: + /* userspace might have set IPV6_ADDRFORM */ + if (unlikely(sock_family != AF_INET6)) { + net_warn_ratelimited("%s: peer %u: IPv6 remote, IPv4 socket\n", + netdev_name(peer->ovpn->dev), + peer->id); + ovpn_peer_del_transport_error(peer); + break; + } + ret = ovpn_udp6_output(peer, bind, cache, sk, skb); break; #endif - default: - ret = -EAFNOSUPPORT; - break; } out: