| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240906191809.GM2097826@kernel.org>
Date: Fri, 6 Sep 2024 20:18:09 +0100
From: Simon Horman <horms@...nel.org>
To: Antonio Quartulli <antonio@...nvpn.net>
Cc: netdev@...r.kernel.org, kuba@...nel.org, pabeni@...hat.com,
ryazanov.s.a@...il.com, edumazet@...gle.com, andrew@...n.ch,
sd@...asysnail.net
Subject: Re: [PATCH net-next v6 11/25] ovpn: implement basic RX path (UDP)
On Tue, Aug 27, 2024 at 02:07:51PM +0200, Antonio Quartulli wrote:
> Packets received over the socket are forwarded to the user device.
>
> Implementation is UDP only. TCP will be added by a later patch.
>
> Note: no decryption/decapsulation exists yet, packets are forwarded as
> they arrive without much processing.
>
> Signed-off-by: Antonio Quartulli <antonio@...nvpn.net>
...
> +/**
> + * ovpn_udp_encap_recv - Start processing a received UDP packet.
> + * @sk: socket over which the packet was received
> + * @skb: the received packet
> + *
> + * If the first byte of the payload is DATA_V2, the packet is further processed,
> + * otherwise it is forwarded to the UDP stack for delivery to user space.
> + *
> + * Return:
> + * 0 if skb was consumed or dropped
> + * >0 if skb should be passed up to userspace as UDP (packet not consumed)
> + * <0 if skb should be resubmitted as proto -N (packet not consumed)
> + */
> +static int ovpn_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
> +{
> + struct ovpn_peer *peer = NULL;
> + struct ovpn_struct *ovpn;
> + u32 peer_id;
> + u8 opcode;
> +
> + ovpn = ovpn_from_udp_sock(sk);
> + if (unlikely(!ovpn)) {
> + net_err_ratelimited("%s: cannot obtain ovpn object from UDP socket\n",
> + __func__);
> + goto drop;
Hi Antonio,
Here ovpn is NULL. But jumping to drop will result in ovpn being dereferenced.
Flagged by Smatch.
> + }
> +
> + /* Make sure the first 4 bytes of the skb data buffer after the UDP
> + * header are accessible.
> + * They are required to fetch the OP code, the key ID and the peer ID.
> + */
> + if (unlikely(!pskb_may_pull(skb, sizeof(struct udphdr) +
> + OVPN_OP_SIZE_V2))) {
> + net_dbg_ratelimited("%s: packet too small\n", __func__);
> + goto drop;
> + }
> +
> + opcode = ovpn_opcode_from_skb(skb, sizeof(struct udphdr));
> + if (unlikely(opcode != OVPN_DATA_V2)) {
> + /* DATA_V1 is not supported */
> + if (opcode == OVPN_DATA_V1)
> + goto drop;
> +
> + /* unknown or control packet: let it bubble up to userspace */
> + return 1;
> + }
> +
> + peer_id = ovpn_peer_id_from_skb(skb, sizeof(struct udphdr));
> + /* some OpenVPN server implementations send data packets with the
> + * peer-id set to undef. In this case we skip the peer lookup by peer-id
> + * and we try with the transport address
> + */
> + if (peer_id != OVPN_PEER_ID_UNDEF) {
> + peer = ovpn_peer_get_by_id(ovpn, peer_id);
> + if (!peer) {
> + net_err_ratelimited("%s: received data from unknown peer (id: %d)\n",
> + __func__, peer_id);
> + goto drop;
> + }
> + }
> +
> + if (!peer) {
> + /* data packet with undef peer-id */
> + peer = ovpn_peer_get_by_transp_addr(ovpn, skb);
> + if (unlikely(!peer)) {
> + net_dbg_ratelimited("%s: received data with undef peer-id from unknown source\n",
> + __func__);
> + goto drop;
> + }
> + }
> +
> + /* pop off outer UDP header */
> + __skb_pull(skb, sizeof(struct udphdr));
> + ovpn_recv(peer, skb);
> + return 0;
> +
> +drop:
> + if (peer)
> + ovpn_peer_put(peer);
> + dev_core_stats_rx_dropped_inc(ovpn->dev);
> + kfree_skb(skb);
> + return 0;
> +}
> +
...
Powered by blists - more mailing lists