Fix UDP checksum handling in clinat.c

#1037
2026-05-28 04:03:29 -04:00 · 2026-05-19 11:00:01 +03:00 · 2026-05-19 11:00:01 +03:00 · 1be394ed91
commit 1be394ed91
parent 2b8afc6c68
1 changed files with 16 additions and 1 deletions
--- a/src/openvpn/clinat.c
+++ b/src/openvpn/clinat.c
@ -258,7 +258,22 @@ client_nat_transform(const struct client_nat_option_list *list, struct buffer *i
        {
            if (BLENZ(ipbuf) >= sizeof(struct openvpn_iphdr) + sizeof(struct openvpn_udphdr))
            {
-                ADJUST_CHECKSUM(accumulate, h->u.udp.check);
+                /* RFC 768: a UDP checksum of 0 means "no checksum computed".
+                 * Do not run the incremental adjustment over a non-checksum,
+                 * or we will write a bogus non-zero value into the field. */
+        
+                if (h->u.udp.check != 0)
+                {
+                    ADJUST_CHECKSUM(accumulate, h->u.udp.check);
+        
+                    /* RFC 768: a computed checksum of 0 must be transmitted
+                     * as 0xFFFF, because 0 is reserved to mean "no checksum". */
+        
+                    if (h->u.udp.check == 0)
+                    {
+                        h->u.udp.check = 0xFFFF;
+                    }
+                }
            }
        }
    }