| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <78e59cd0-332e-4a97-8060-ccdf023e8a91@openvpn.net>
Date: Mon, 3 Feb 2025 14:12:52 +0100
From: Antonio Quartulli <antonio@...nvpn.net>
To: Sabrina Dubroca <sd@...asysnail.net>
Cc: netdev@...r.kernel.org, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Donald Hunter <donald.hunter@...il.com>, Shuah Khan <shuah@...nel.org>,
ryazanov.s.a@...il.com, Andrew Lunn <andrew+netdev@...n.ch>,
Simon Horman <horms@...nel.org>, linux-kernel@...r.kernel.org,
linux-kselftest@...r.kernel.org, Xiao Liang <shaw.leon@...il.com>
Subject: Re: [PATCH net-next v18 12/25] ovpn: implement TCP transport
On 03/02/2025 11:05, Sabrina Dubroca wrote:
> 2025-01-13, 10:31:31 +0100, Antonio Quartulli wrote:
>> +static void ovpn_tcp_rcv(struct strparser *strp, struct sk_buff *skb)
>> +{
> [...]
>> + /* we need the first byte of data to be accessible
>> + * to extract the opcode and the key ID later on
>> + */
>> + if (!pskb_may_pull(skb, 1)) {
>
> make sure we have 1B...
>
>> + net_warn_ratelimited("%s: packet too small to fetch opcode for peer %u\n",
>> + netdev_name(peer->ovpn->dev), peer->id);
>> + goto err;
>> + }
>> +
>> + /* DATA_V2 packets are handled in kernel, the rest goes to user space */
>> + opcode = ovpn_opcode_from_skb(skb, 0);
>
> but this reads a u32 (4B) from skb->data
ACK, hand-in-hand with the comment not updated.
Will fix this.
>
> [...]
>> +void ovpn_tcp_socket_detach(struct ovpn_socket *ovpn_sock)
>> +{
>> + struct ovpn_peer *peer = ovpn_sock->peer;
>> + struct socket *sock = ovpn_sock->sock;
>> +
>> + strp_stop(&peer->tcp.strp);
>> +
>> + skb_queue_purge(&peer->tcp.user_queue);
>>
>> + /* restore CBs that were saved in ovpn_sock_set_tcp_cb() */
>> + sock->sk->sk_data_ready = peer->tcp.sk_cb.sk_data_ready;
>> + sock->sk->sk_write_space = peer->tcp.sk_cb.sk_write_space;
>> + sock->sk->sk_prot = peer->tcp.sk_cb.prot;
>> + sock->sk->sk_socket->ops = peer->tcp.sk_cb.ops;
>> +
>> + /* drop reference to peer */
>
> nit: not really :)
drop comment :)
>
>> + rcu_assign_sk_user_data(sock->sk, NULL);
>> +
>> + /* before canceling any ongoing work we must ensure that CBs
>> + * have been reset to prevent workers from being re-armed
>> + */
>> + barrier();
>> +
>> + cancel_work_sync(&peer->tcp.tx_work);
>> + strp_done(&peer->tcp.strp);
>> + skb_queue_purge(&peer->tcp.out_queue);
>
> Also kfree_skb(peer->tcp.out_msg.skb)?
hm yeah, it could be we allocated one but did not finish filling it.
>
>> + ovpn_peer_put(peer);
>> +}
>
>
> [...]
>> +static int ovpn_tcp_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
>> +{
> [...]
>> + ret = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, size);
>> + if (ret) {
>> + kfree_skb(skb);
>> + net_err_ratelimited("%s: skb copy from iter failed: %d\n",
>> + netdev_name(sock->peer->ovpn->dev), ret);
>> + goto peer_free;
>> + }
>> +
>> + ovpn_tcp_send_sock_skb(sock->peer, skb);
>
> This isn't propagating MSG_DONTWAIT down to ovpn_tcp_send_sock?
>
patch 14/25 will add a new member to ovpn_cb which will be filled right
before calling ovpn_tcp_send_sock_skb() and that gets picked later.
Cheers,
--
Antonio Quartulli
OpenVPN Inc.
Powered by blists - more mailing lists