From: Arne Schwabe <[email protected]> The normal path ensure that the minimum tun mtu is set to at least TUN_MTU_MIN. However, the pushed options path does not have this restriction.
Check that the tun-mtu is within the limits of min/max mtu in options.c. This ensure that the check is also correctly done on the pushed variant. Also add an extra check to keep the allowed payload for icmp6 packets to be at least 64 bytes in the the block-ipv6 code path (ipv6_send_icmp_unreachable) as extra layer of defence. Pushing a low mtu like 1 and also block-ipv6 could trigger an assertion in the ipv6_send_icmp_unreachable code path. Reported-By: Haiyang Huang <[email protected]> Change-Id: Iff8b336126a5dff9871213664b1e8585fb70d21e Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Gert Doering <[email protected]> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1708 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1708 This mail reflects revision 1 of this Change. Signed-off-by line for the author was added as per our policy. Acked-by according to Gerrit (reflected above): Gert Doering <[email protected]> diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index e43ce28..2255951 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1610,6 +1610,8 @@ */ int max_payload_size = min_int(MAX_ICMPV6LEN, c->c2.frame.tun_mtu - icmpheader_len); + /* Ensure that minimum payload size is at least 64 bytes as extra safety layer */ + max_payload_size = max_int(max_payload_size, 64); int payload_len = min_int(max_payload_size, BLEN(&inputipbuf)); pip6out.payload_len = htons(sizeof(struct openvpn_icmp6hdr) + payload_len); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index d3df5b2..70ec43d 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -69,6 +69,11 @@ */ #define TUN_MTU_DEFAULT 1500 +/** + * Maximum MTU we accept for MTU related options + */ +#define TUN_MTU_MAX 65536 + /* * MTU Defaults for TAP devices */ diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 044aab3..ea640da 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6552,7 +6552,15 @@ else if (streq(p[0], "tun-mtu") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION); - options->ce.tun_mtu = positive_atoi(p[1]); + int mtu = positive_atoi(p[1]); + if (mtu < TUN_MTU_MIN || mtu > TUN_MTU_MAX) + { + msg(msglevel, "--mtu parm must be between %d and %d.", TUN_MTU_MIN, + TUN_MTU_MAX); + goto err; + } + + options->ce.tun_mtu = mtu; options->ce.tun_mtu_defined = true; if (p[2]) { _______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
