From patchwork Mon Jun  8 12:17:54 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gert Doering <gert@greenie.muc.de>
X-Patchwork-Id: 5001
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:bc1d:b0:861:c897:cb9d with SMTP id
 jc29csp1839187mab;
        Mon, 8 Jun 2026 05:18:15 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AFNElJ+LxigdgOePOKcMgOw+SYGhlOJphoathDVmS9nw2707za+roPvosx59zkzjur+hTaSvRgAN70gUgdM=@openvpn.net
X-Received: by 2002:a05:6808:13c2:b0:486:503a:ce9b with SMTP id
 5614622812f47-4868dbf284emr8741827b6e.5.1780921095314;
        Mon, 08 Jun 2026 05:18:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1780921095; cv=none;
        d=google.com; s=arc-20240605;
        b=ghlxSE1cCCkQ/Z61Qdm8ni121O8tBrE5l6tZZri1I//LzfjSz004zj0+PVJ04deJAm
         duckqrd/zfElZYhmVQudU8HrcoO1BjbYskJwTdql4oYnR64lJMTkKXAZSXZtpRsBIFpB
         MVNk74vSwHEvyzp9ImMiGWv7kJ7M7KD715fquWEN2KSJqf3toxWQzExfifEyKgQkTfuw
         L5uQVsNoA4l6OPp/eKc3Wdps0X7nNwYmYkkQ06HisrlQ1loqlB07/dJs+ocL7t0EPfmw
         bulwg5M/kJpN2ZH9JIzaRZ16aBY5sHzAKPgZgBE3Z9Z4mNl0Rzb3/KTNTsZ3klhxKWWx
         S/fA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=GTBNcw2aZSvakQoLEvjlg9u/aMADNhEYeXZt0puff2o=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=CRTfCgoQY9g0lK9SWoB9Wx+owiDloSxbUr7gyvbwTakvGXgSC7yApImwkMgDttUsfx
         H/Pe2SU/4bx6BDIybJ6DGt1oWMBO5+CJOw01ddetAnC/9b0awKkAxAMcWwgwI4PaDerN
         fzYNDhhZi21hONygi84/yjJMwceRDZ+rdpvOvaBuidIZk1hQZMGn5BxycDPzkT9HXLbs
         8YgcnLGjw3YxXl0+2Dghsj895G3IjWbUJliYM3lS4zWPw+7+myXVFkQ+e71mHTBwq9R6
         6OfqFmASZVoARo8cfyy8S/WohyI5wnrzr7aFFEIPbFNjvkqId+y099nW+L5PWfg9Q2eo
         yOqA==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b="erIwHA/u";
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=aVO5ITqz;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=CWDhikmf;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 586e51a60fabf-440d7b92c3dsi13437034fac.3.2026.06.08.05.18.15
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 08 Jun 2026 05:18:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b="erIwHA/u";
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=aVO5ITqz;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=CWDhikmf;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
	Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=GTBNcw2aZSvakQoLEvjlg9u/aMADNhEYeXZt0puff2o=; b=erIwHA/uXmcyfclXlS0huLLtsp
	DZFMB/SGNFjkMxl8vk0Q9iY/NkmAalGSfkERv1NM0YvA2NDOh938mU75aFUVqSOyTJ3fhPEB1N8TA
	e/9SgCUENkjXlNw6hrFXRVR3XH0ivk+oG4OE+Ef5ltRMlcp4LuOttCu7zcRSAClrv69w=;
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1wWYvj-0001kl-Nz;
	Mon, 08 Jun 2026 12:18:11 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gert@blue4.greenie.muc.de>) id 1wWYvi-0001kc-1m
 for openvpn-devel@lists.sourceforge.net;
 Mon, 08 Jun 2026 12:18:10 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=o2GSitftwWWA2lrrEBg4QPUmDaXq1e6AbZZXld+JlYI=; b=aVO5ITqzFC1t5dXs5qTBHCMTQ0
 0/BpKacuxbo/JQ8voH49dxL+zTufTuP3QQ4nOCzWEEqs3KUmyzdrD7y9b2LbUh+Lk9CqkYqkOXt57
 djrmxrXOhZ98+DmZZsIDVVO3Ctu8mOaKFe1suBWuaOAc0m1StDgqqLW8LupbPokVc+g4=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=o2GSitftwWWA2lrrEBg4QPUmDaXq1e6AbZZXld+JlYI=; b=CWDhikmfWx1y4V73W6HKj2AjvT
 M5CqpxGh0VaEoUskNeH5CsdkqeCeomd9+Qmx5YUZ3+MUCeezTIzTOILTSLUkVo9RsOY0gXgULZwPZ
 hFN3U//s0wJUoX28a25baXsmkFQHu/uc36AzqxKjU9pZ/ujhkwHiiIwPaZ+eU4mFd650=;
Received: from [193.149.48.129] (helo=blue.greenie.muc.de)
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1wWYve-0005DD-Hy for openvpn-devel@lists.sourceforge.net;
 Mon, 08 Jun 2026 12:18:09 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
 by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 658CI0uq010136
 for <openvpn-devel@lists.sourceforge.net>; Mon, 8 Jun 2026 14:18:00 +0200
Received: (from gert@localhost)
 by blue.greenie.muc.de (8.18.2/8.18.1/Submit) id 658CI0O3010135
 for openvpn-devel@lists.sourceforge.net; Mon, 8 Jun 2026 14:18:00 +0200
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Mon,  8 Jun 2026 14:17:54 +0200
Message-ID: <20260608121759.10121-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.53.0
In-Reply-To: 
 <gerrit.1780919555000.Iff8b336126a5dff9871213664b1e8585fb70d21e@gerrit.openvpn.net>
References: 
 <gerrit.1780919555000.Iff8b336126a5dff9871213664b1e8585fb70d21e@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-2.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Arne Schwabe <arne@rfc2549.org> The normal path ensure
 that the minimum tun mtu is set to at least TUN_MTU_MIN. However, the pushed
 options path does not have this restriction. Check that the tun-mtu is within
 the limits of min/max mtu in options.c. This ensure that the check is also
 correctly done on the pushed variant.
 Content analysis details:   (1.3 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1wWYve-0005DD-Hy
Subject: [Openvpn-devel] [PATCH v1] Ensure pushed tun-mtu is no lower than
 TUN_MTU_MIN
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: 1867431118781655570
X-GMAIL-MSGID: 1867431118781655570

From: Arne Schwabe <arne@rfc2549.org>

The normal path ensure that the minimum tun mtu is set to at least
TUN_MTU_MIN. However, the pushed options path does not have this
restriction.

Check that the tun-mtu is within the limits of min/max mtu
in options.c. This ensure that the check is also correctly done
on the pushed variant.

Also add an extra check to keep the allowed payload for icmp6 packets
to be at least 64 bytes in the the block-ipv6 code path
(ipv6_send_icmp_unreachable) as extra layer of defence.

Pushing a low mtu like 1 and also block-ipv6 could trigger an
assertion in the ipv6_send_icmp_unreachable code path.

Reported-By: Haiyang Huang <huanghaiyang83@gmail.com>
Change-Id: Iff8b336126a5dff9871213664b1e8585fb70d21e
Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1708
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to release/2.6.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1708
This mail reflects revision 1 of this Change.

Signed-off-by line for the author was added as per our policy.

Acked-by according to Gerrit (reflected above):
Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index e43ce28..2255951 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1610,6 +1610,8 @@
      */
     int max_payload_size = min_int(MAX_ICMPV6LEN,
                                    c->c2.frame.tun_mtu - icmpheader_len);
+    /* Ensure that minimum payload size is at least 64 bytes as extra safety layer */
+    max_payload_size = max_int(max_payload_size, 64);
     int payload_len = min_int(max_payload_size, BLEN(&inputipbuf));
 
     pip6out.payload_len = htons(sizeof(struct openvpn_icmp6hdr) + payload_len);
diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h
index d3df5b2..70ec43d 100644
--- a/src/openvpn/mtu.h
+++ b/src/openvpn/mtu.h
@@ -69,6 +69,11 @@
  */
 #define TUN_MTU_DEFAULT    1500
 
+/**
+ * Maximum MTU we accept for MTU related options
+ */
+#define TUN_MTU_MAX 65536
+
 /*
  * MTU Defaults for TAP devices
  */
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 044aab3..ea640da 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -6552,7 +6552,15 @@
     else if (streq(p[0], "tun-mtu") && p[1] && !p[3])
     {
         VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION);
-        options->ce.tun_mtu = positive_atoi(p[1]);
+        int mtu = positive_atoi(p[1]);
+        if (mtu < TUN_MTU_MIN || mtu > TUN_MTU_MAX)
+        {
+            msg(msglevel, "--mtu parm must be between %d and %d.", TUN_MTU_MIN,
+                TUN_MTU_MAX);
+            goto err;
+        }
+
+        options->ce.tun_mtu = mtu;
         options->ce.tun_mtu_defined = true;
         if (p[2])
         {