[Openvpn-devel] [S] Change in openvpn[master]: Add warning if a p2p NCP client connects to a p2mp server
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/323?usp=email ) Change subject: Add warning if a p2p NCP client connects to a p2mp server .. Patch Set 1: Code-Review+1 (2 comments) Patchset: PS1: LGTM, but I find it very difficult to see whether this is the right place for the check :/ File src/openvpn/ssl_ncp.c: http://gerrit.openvpn.net/c/openvpn/+/323/comment/ddecee43_db5699c2 : PS1, Line 262: /* For client doing the newer version of NCP (that send IV_CIPHER) Since you have done other drive-by typo fixes, should say "clients" here. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/323?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I85ae4e1167e1395b4f59d5d0ecf6c38befcaa8a7 Gerrit-Change-Number: 323 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Comment-Date: Thu, 10 Aug 2023 16:25:27 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] Fix unaligned access in macOS/Solaris hwaddr
The undefined behaviour USAN clang checker found this. This fix is a bit messy but so are the original structures. Patch v2: handle the fact we need to beyond the struct ifr correctly when mapping the result to struct sockaddr_dl Change-Id: Ia797c8801fa9a9bc10b6674efde5fdbd7132e4a8 Signed-off-by: Arne Schwabe --- src/openvpn/route.c | 32 +++- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/src/openvpn/route.c b/src/openvpn/route.c index 90e981e97..bcf6fb878 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -3641,7 +3641,7 @@ get_default_gateway(struct route_gateway_info *rgi, openvpn_net_ctx_t *ctx) if (rgi->flags & RGI_IFACE_DEFINED) { struct ifconf ifc; -struct ifreq *ifr; +struct ifreq ifr; const int bufsize = 4096; char *buffer; @@ -3666,23 +3666,37 @@ get_default_gateway(struct route_gateway_info *rgi, openvpn_net_ctx_t *ctx) for (cp = buffer; cp <= buffer + ifc.ifc_len - sizeof(struct ifreq); ) { -ifr = (struct ifreq *)cp; +/* this is not always using an 8 byte alignment that struct ifr + * requires */ +memcpy(&ifr, cp, sizeof(struct ifreq)); #if defined(TARGET_SOLARIS) -const size_t len = sizeof(ifr->ifr_name) + sizeof(ifr->ifr_addr); +const size_t len = sizeof(ifr.ifr_name) + sizeof(ifr.ifr_addr); #else -const size_t len = sizeof(ifr->ifr_name) + max(sizeof(ifr->ifr_addr), ifr->ifr_addr.sa_len); +const size_t len = sizeof(ifr.ifr_name) + max(sizeof(ifr.ifr_addr), ifr.ifr_addr.sa_len); #endif -if (!ifr->ifr_addr.sa_family) +if (!ifr.ifr_addr.sa_family) { break; } -if (!strncmp(ifr->ifr_name, rgi->iface, IFNAMSIZ)) +if (!strncmp(ifr.ifr_name, rgi->iface, IFNAMSIZ)) { -if (ifr->ifr_addr.sa_family == AF_LINK) +if (ifr.ifr_addr.sa_family == AF_LINK) { -struct sockaddr_dl *sdl = (struct sockaddr_dl *)&ifr->ifr_addr; -memcpy(rgi->hwaddr, LLADDR(sdl), 6); +/* This is a broken member access. struct sockaddr_dl has + * 20 bytes while if_addr has only 16 bytes. So casting if_addr + * to struct sockaddr_dl gives (legitimate) warnings + * + * sockaddr_dl has 12 bytes space for the inrerface name and + * the hw address. So the last 4 that might be part of the + * hw address are not in if_addr, so we need + * + * So we use a memcpy here to avoid the warnings with ASAN + * that we are doing a very nasty cast here + */ +struct sockaddr_dl sdl = { 0 }; +memcpy(&sdl, cp + offsetof(struct ifreq, ifr_addr), sizeof(sdl)); +memcpy(rgi->hwaddr, LLADDR(&sdl), 6); rgi->flags |= RGI_HWADDR_DEFINED; } } -- 2.39.2 (Apple Git-143) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Add warning if a p2p NCP client connects to a p2mp server
Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/323?usp=email to review the following change. Change subject: Add warning if a p2p NCP client connects to a p2mp server .. Add warning if a p2p NCP client connects to a p2mp server Change-Id: I85ae4e1167e1395b4f59d5d0ecf6c38befcaa8a7 --- M src/openvpn/ssl_ncp.c M src/openvpn/ssl_ncp.h 2 files changed, 9 insertions(+), 2 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/23/323/1 diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index dafaef1..aae04e2 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -24,7 +24,7 @@ */ /** - * @file Control Channel SSL/Data dynamic negotion Module + * @file Control Channel SSL/Data dynamic negotiation Module * This file is split from ssl.c to be able to unit test it. */ @@ -267,6 +267,13 @@ remote_cipher = ""; } +if (extract_iv_proto(peer_info) & IV_PROTO_NCP_P2P) +{ +msg(M_WARN, "Note: peer reports running in P2P mode (no --pull/--client" +"option). It will not negotiate ciphers with this server. " +"Expect this connection to fail."); +} + char *tmp_ciphers = string_alloc(server_list, &gc_tmp); const char *token; diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h index d27ed24..de7a0e4 100644 --- a/src/openvpn/ssl_ncp.h +++ b/src/openvpn/ssl_ncp.h @@ -23,7 +23,7 @@ */ /** - * @file Control Channel SSL/Data dynamic negotion Module + * @file Control Channel SSL/Data dynamic negotiation Module * This file is split from ssl.h to be able to unit test it. */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/323?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I85ae4e1167e1395b4f59d5d0ecf6c38befcaa8a7 Gerrit-Change-Number: 323 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-MessageType: newchange ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: options: Do not hide variables from parent scope
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/320?usp=email ) Change subject: options: Do not hide variables from parent scope .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/320?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I9f9d0f0d5ab03f8cdfd7ba7200f2d56613cc586d Gerrit-Change-Number: 320 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Thu, 10 Aug 2023 13:49:43 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel