lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZpZ4cF7hLTIxBiej@hog>
Date: Tue, 16 Jul 2024 15:41:04 +0200
From: Sabrina Dubroca <sd@...asysnail.net>
To: Antonio Quartulli <antonio@...nvpn.net>
Cc: netdev@...r.kernel.org, kuba@...nel.org, ryazanov.s.a@...il.com,
	pabeni@...hat.com, edumazet@...gle.com, andrew@...n.ch
Subject: Re: [PATCH net-next v5 20/25] ovpn: implement peer add/dump/delete
 via netlink

2024-06-27, 15:08:38 +0200, Antonio Quartulli wrote:
> @@ -29,7 +34,7 @@ MODULE_ALIAS_GENL_FAMILY(OVPN_FAMILY_NAME);
>   * Return: the netdevice, if found, or an error otherwise
>   */
>  static struct net_device *
> -ovpn_get_dev_from_attrs(struct net *net, struct genl_info *info)
> +ovpn_get_dev_from_attrs(struct net *net, const struct genl_info *info)

nit: this should be squashed into "add basic netlink support"


[...]
>  int ovpn_nl_set_peer_doit(struct sk_buff *skb, struct genl_info *info)
>  {
> -	return -EOPNOTSUPP;
> +	bool keepalive_set = false, new_peer = false;
> +	struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
> +	struct ovpn_struct *ovpn = info->user_ptr[0];
> +	struct sockaddr_storage *ss = NULL;
> +	u32 sockfd, id, interv, timeout;
> +	struct socket *sock = NULL;
> +	struct sockaddr_in mapped;
> +	struct sockaddr_in6 *in6;
> +	struct ovpn_peer *peer;
> +	u8 *local_ip = NULL;
> +	size_t sa_len;
> +	int ret;
> +
> +	if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
> +		return -EINVAL;
> +
> +	ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
> +			       ovpn_peer_nl_policy, info->extack);
> +	if (ret)
> +		return ret;
> +
> +	if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
> +			      OVPN_A_PEER_ID))
> +		return -EINVAL;
> +
> +	id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
> +	/* check if the peer exists first, otherwise create a new one */
> +	peer = ovpn_peer_get_by_id(ovpn, id);
> +	if (!peer) {
> +		peer = ovpn_peer_new(ovpn, id);
> +		new_peer = true;
> +		if (IS_ERR(peer)) {
> +			NL_SET_ERR_MSG_FMT_MOD(info->extack,
> +					       "cannot create new peer object for peer %u (sockaddr=%pIScp): %ld",
> +					       id, ss, PTR_ERR(peer));

ss hasn't been set yet at this point, including it in the extack
message is not useful.

> +			return PTR_ERR(peer);
> +		}
> +	}
> +
> +	if (new_peer && NL_REQ_ATTR_CHECK(info->extack,
> +					  info->attrs[OVPN_A_PEER], attrs,
> +					  OVPN_A_PEER_SOCKET)) {

This can be checked at the start of the previous block (!peer), we'd
avoid a pointless peer allocation.

(and the linebreaks in NL_REQ_ATTR_CHECK end up being slightly better
because you don't need the "new_peer &&" test that is wider than the
tab used to indent the !peer block :))

> +		ret = -EINVAL;
> +		goto peer_release;
> +	}
> +
> +	if (new_peer && ovpn->mode == OVPN_MODE_MP &&
> +	    !attrs[OVPN_A_PEER_VPN_IPV4] && !attrs[OVPN_A_PEER_VPN_IPV6]) {

Same for this check.

> +		NL_SET_ERR_MSG_MOD(info->extack,
> +				   "a VPN IP is required when adding a peer in MP mode");
> +		ret = -EINVAL;
> +		goto peer_release;
> +	}
> +
> +	if (attrs[OVPN_A_PEER_SOCKET]) {
> +		/* lookup the fd in the kernel table and extract the socket
> +		 * object
> +		 */
> +		sockfd = nla_get_u32(attrs[OVPN_A_PEER_SOCKET]);
> +		/* sockfd_lookup() increases sock's refcounter */
> +		sock = sockfd_lookup(sockfd, &ret);
> +		if (!sock) {
> +			NL_SET_ERR_MSG_FMT_MOD(info->extack,
> +					       "cannot lookup peer socket (fd=%u): %d",
> +					       sockfd, ret);
> +			ret = -ENOTSOCK;
> +			goto peer_release;
> +		}
> +
> +		if (peer->sock)
> +			ovpn_socket_put(peer->sock);
> +
> +		peer->sock = ovpn_socket_new(sock, peer);
> +		if (IS_ERR(peer->sock)) {
> +			NL_SET_ERR_MSG_FMT_MOD(info->extack,
> +					       "cannot encapsulate socket: %ld",
> +					       PTR_ERR(peer->sock));
> +			sockfd_put(sock);
> +			peer->sock = NULL;

Is there any value for the client in keeping the old peer->sock
assigned if we fail here?

ie something like:

    tmp = ovpn_socket_new(sock, peer);
    if (IS_ERR(tmp)) {
        ...
        goto peer_release;
    }
    if (peer->sock)
        ovpn_socket_put(peer->sock);
    peer->sock = tmp;


But if it's just going to get rid of the old socket and the whole
association/peer on failure, probably not.

> +			ret = -ENOTSOCK;
> +			goto peer_release;
> +		}
> +	}
> +
> +	/* Only when using UDP as transport protocol the remote endpoint
> +	 * can be configured so that ovpn knows where to send packets
> +	 * to.
> +	 *
> +	 * In case of TCP, the socket is connected to the peer and ovpn
> +	 * will just send bytes over it, without the need to specify a
> +	 * destination.

(that should also work with UDP "connected" sockets)


> +	 */
> +	if (peer->sock->sock->sk->sk_protocol == IPPROTO_UDP &&
> +	    attrs[OVPN_A_PEER_SOCKADDR_REMOTE]) {
[...]
> +
> +		if (attrs[OVPN_A_PEER_LOCAL_IP]) {
> +			local_ip = ovpn_nl_attr_local_ip(info, ovpn,
> +							 attrs,
> +							 ss->ss_family);
> +			if (IS_ERR(local_ip)) {
> +				ret = PTR_ERR(local_ip);
> +				NL_SET_ERR_MSG_FMT_MOD(info->extack,
> +						       "cannot retrieve local IP: %d",
> +						       ret);

ovpn_nl_attr_local_ip already sets a more specific extack message,
this is unnecessary.

> +				goto peer_release;
> +			}
> +		}
> +
> +		/* set peer sockaddr */
> +		ret = ovpn_peer_reset_sockaddr(peer, ss, local_ip);
> +		if (ret < 0) {
> +			NL_SET_ERR_MSG_FMT_MOD(info->extack,
> +					       "cannot set peer sockaddr: %d",
> +					       ret);
> +			goto peer_release;
> +		}
> +	}

I would reject OVPN_A_PEER_SOCKADDR_REMOTE for a non-UDP socket.


> +	/* VPN IPs cannot be updated, because they are hashed */

Then I think there should be something like

    if (!new_peer && (attrs[OVPN_A_PEER_VPN_IPV4] || attrs[OVPN_A_PEER_VPN_IPV6])) {
        NL_SET_ERR_MSG_FMT_MOD(... "can't update ip");
        ret = -EINVAL;
        goto peer_release;
    }

(just after getting the peer, before any changes have actually been
made)

And if they are only used in MP mode, I would maybe also reject
requests where mode==P2P and OVPN_A_PEER_VPN_IPV* is provided.


> +	if (new_peer && attrs[OVPN_A_PEER_VPN_IPV4])
> +		peer->vpn_addrs.ipv4.s_addr =
> +			nla_get_in_addr(attrs[OVPN_A_PEER_VPN_IPV4]);
> +
> +	/* VPN IPs cannot be updated, because they are hashed */
> +	if (new_peer && attrs[OVPN_A_PEER_VPN_IPV6])
> +		peer->vpn_addrs.ipv6 =
> +			nla_get_in6_addr(attrs[OVPN_A_PEER_VPN_IPV6]);
> +
> +	/* when setting the keepalive, both parameters have to be configured */

Then I would also reject a config where only one is set (also before any
changes have been made).

> +	if (attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
> +	    attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) {
> +		keepalive_set = true;
> +		interv = nla_get_u32(attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]);
> +		timeout = nla_get_u32(attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]);
> +	}
> +
> +	if (keepalive_set)
> +		ovpn_peer_keepalive_set(peer, interv, timeout);

Why not skip the bool and just do this in the previous block?

> +	netdev_dbg(ovpn->dev,
> +		   "%s: %s peer with endpoint=%pIScp/%s id=%u VPN-IPv4=%pI4 VPN-IPv6=%pI6c\n",
> +		   __func__, (new_peer ? "adding" : "modifying"), ss,
> +		   peer->sock->sock->sk->sk_prot_creator->name, peer->id,
> +		   &peer->vpn_addrs.ipv4.s_addr, &peer->vpn_addrs.ipv6);
> +
> +	if (new_peer) {
> +		ret = ovpn_peer_add(ovpn, peer);
> +		if (ret < 0) {
> +			NL_SET_ERR_MSG_FMT_MOD(info->extack,
> +					       "cannot add new peer (id=%u) to hashtable: %d\n",
> +					       peer->id, ret);
> +			goto peer_release;
> +		}
> +	} else {
> +		ovpn_peer_put(peer);
> +	}
> +
> +	return 0;
> +
> +peer_release:
> +	if (new_peer) {
> +		/* release right away because peer is not really used in any
> +		 * context
> +		 */
> +		ovpn_peer_release(peer);
> +		kfree(peer);

I don't think that's correct, the new peer was created with
ovpn_peer_new, so it took a reference on the netdevice
(netdev_hold(ovpn->dev, ...)), which isn't released by
ovpn_peer_release. Why not just go through ovpn_peer_put?

> +	} else {
> +		ovpn_peer_put(peer);
> +	}
> +
> +	return ret;
> +}
> +

[...]
>  int ovpn_nl_get_peer_doit(struct sk_buff *skb, struct genl_info *info)
>  {
[...]
> +	peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
> +	peer = ovpn_peer_get_by_id(ovpn, peer_id);
> +	if (!peer) {
> +		NL_SET_ERR_MSG_FMT_MOD(info->extack,
> +				       "cannot find peer with id %u", peer_id);
> +		return -ENOENT;
> +	}
> +
> +	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
> +	if (!msg)

Missing ovpn_peer_put?

> +		return -ENOMEM;
> +
> +	ret = ovpn_nl_send_peer(msg, info, peer, info->snd_portid,
> +				info->snd_seq, 0);
> +	if (ret < 0) {
> +		nlmsg_free(msg);
> +		goto err;
> +	}
> +
> +	ret = genlmsg_reply(msg, info);
> +err:
> +	ovpn_peer_put(peer);
> +	return ret;
>  }

-- 
Sabrina

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ