upstream/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2026-05-28 04:03:29 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

dco-linux: enforce ifindex only for DEL_PEER notifications
Some checks are pending
Build / Check code style with Uncrustify (push) Waiting to run
Details
Build / gcc-mingw - x64 - OSSL (push) Waiting to run
Details
Build / gcc-mingw - x86 - OSSL (push) Waiting to run
Details
Build / mingw unittest argv - x64 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest auth_token - x64 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest buffer - x64 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest crypto - x64 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest cryptoapi - x64 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest misc - x64 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest ncp - x64 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest packet_id - x64 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest pkt - x64 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest provider - x64 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest tls_crypt - x64 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest argv - x86 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest auth_token - x86 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest buffer - x86 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest crypto - x86 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest cryptoapi - x86 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest misc - x86 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest ncp - x86 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest packet_id - x86 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest pkt - x86 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest provider - x86 - OSSL (push) Blocked by required conditions
Details
Build / mingw unittest tls_crypt - x86 - OSSL (push) Blocked by required conditions
Details
Build / gcc - ubuntu-24.04 - OpenSSL 3.0.13 --enable-pkcs11 (push) Waiting to run
Details
Build / gcc - ubuntu-22.04 - OpenSSL 3.0.2 --enable-pkcs11 (push) Waiting to run
Details
Build / gcc - ubuntu-22.04 - mbed TLS 2.28.0 (push) Waiting to run
Details
Build / clang-asan - ubuntu-22.04 - mbedtls (push) Waiting to run
Details
Build / clang-asan - ubuntu-22.04 - openssl (push) Waiting to run
Details
Build / clang-asan - ubuntu-24.04 - mbedtls (push) Waiting to run
Details
Build / clang-asan - ubuntu-24.04 - openssl (push) Waiting to run
Details
Build / macos-13 - libressl - asan (push) Waiting to run
Details
Build / macos-13 - openssl@1.1 - asan (push) Waiting to run
Details
Build / macos-13 - openssl@3 - asan (push) Waiting to run
Details
Build / macos-14 - libressl - asan (push) Waiting to run
Details
Build / macos-14 - openssl@1.1 - asan (push) Waiting to run
Details
Build / macos-14 - openssl@3 - asan (push) Waiting to run
Details
Build / macos-15 - libressl - asan (push) Waiting to run
Details
Build / macos-15 - openssl@1.1 - asan (push) Waiting to run
Details
Build / macos-15 - openssl@3 - asan (push) Waiting to run
Details
Build / macos-13 - libressl - normal (push) Waiting to run
Details
Build / macos-13 - openssl@1.1 - normal (push) Waiting to run
Details
Build / macos-13 - openssl@3 - normal (push) Waiting to run
Details
Build / macos-14 - libressl - normal (push) Waiting to run
Details
Build / macos-14 - openssl@1.1 - normal (push) Waiting to run
Details
Build / macos-14 - openssl@3 - normal (push) Waiting to run
Details
Build / macos-15 - libressl - normal (push) Waiting to run
Details
Build / macos-15 - openssl@1.1 - normal (push) Waiting to run
Details
Build / macos-15 - openssl@3 - normal (push) Waiting to run
Details
Build / msbuild - amd64 - openssl (push) Waiting to run
Details
Build / msbuild - arm64 - openssl (push) Waiting to run
Details
Build / msbuild - x86 - openssl (push) Waiting to run
Details
Build / clang asan - ubuntu-22.04 - libressl (push) Waiting to run
Details
Build / gcc normal - ubuntu-22.04 - libressl (push) Waiting to run
Details

Browse source 
The unconditional ifindex check introduced by commit e78a8af2f5
rejects legitimate kernel replies, specifically peer stats responses,
because those messages do not carry OVPN_ATTR_IFINDEX.

Move the check into ovpn_handle_del_peer() so it applies only to
spontaneous DEL_PEER notifications from the kernel. This keeps
response handling working while still filtering foreign-instance
notifications.

Fixes: e78a8af2f5 ("dco: backport immediate notification processing on Linux and FreeBSD")
Github: closes OpenVPN/openvpn#1020
Change-Id: I9b1f4fd06c8a02d3f51b6a3bdea2f92191669660
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1636
Message-Id: <20260422055636.20691-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36721.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
Ralf Lici 2026-04-22 07:56:30 +02:00 committed by Gert Doering
parent e78a8af2f5
commit adece45628
1 changed files with 17 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
src/openvpn/dco_linux.c
View file

@ -857,6 +857,23 @@ ovpn_handle_peer(dco_context_t *dco, struct nlattr *attrs[])
static int
ovpn_handle_del_peer(dco_context_t *dco, struct nlattr *attrs[])
{
/* we must know which interface this message is referring to in order to
* avoid mixing messages for other instances
*/
if (!attrs[OVPN_ATTR_IFINDEX])
{
msg(D_DCO, "ovpn-dco: Received message without ifindex");
return NL_STOP;
}
uint32_t ifindex = nla_get_u32(attrs[OVPN_ATTR_IFINDEX]);
if (ifindex != dco->ifindex)
{
msg(D_DCO_DEBUG, "ovpn-dco: ignoring message for foreign ifindex %d",
ifindex);
return NL_SKIP;
}
if (!attrs[OVPN_ATTR_DEL_PEER])
{
msg(D_DCO, "ovpn-dco: no attributes in OVPN_DEL_PEER message");
@ -930,23 +947,6 @@ ovpn_handle_msg(struct nl_msg *msg, void *arg)
return NL_STOP;
}
/* we must know which interface this message is referring to in order to
* avoid mixing messages for other instances
*/
if (!attrs[OVPN_ATTR_IFINDEX])
{
msg(D_DCO, "ovpn-dco: Received message without ifindex");
return NL_STOP;
}
uint32_t ifindex = nla_get_u32(attrs[OVPN_ATTR_IFINDEX]);
if (ifindex != dco->ifindex)
{
msg(D_DCO_DEBUG, "ovpn-dco: ignoring message for foreign ifindex %d",
ifindex);
return NL_SKIP;
}
/* based on the message type, we parse the subobject contained in the
* message, that stores the type-specific attributes.
*