Re: [Openvpn-devel] [PATCH v2] Add Windows DNS Leak fix using WFP ('block-outside-dns')
On 16.11.2015 09:17, Selva Nair wrote: > Hi, > > Here are some comments on the code -- there is one apparent memory leak (see > below). > > > the word "external" is not required nor appropriate as it blocks all, isn't > it? I'm not a native speaker. If you say that, probably you're right. > > > This error/warning is unnecessary and confusing. If the user does not want to > block-outside-dns, why say "can't block"? And why the "without configured DNS > server" remark? That's a garbage. There used to be a check for configured 'dhcp-option DNS' and I forgot to remove that. Thanks. > > in win32.c > + > +ret = ConvertInterfaceIndexToLuid(index, ); > +if (ret == NO_ERROR) > +dmsg (D_LOW, "Tap Luid: %I64d", tapluid.Value); > + > > Is it safe to ignore the ret != NO_ERROR case? May be it is... > > > openvpnblob is allocated here, but not freed anywhere. Need to free it before > return. > > Finally, to nitpick, > There are a couple of unused variables > Some local vars could be eliminated (rpcStatus, dwFwAPIRetCode, ret) > FIREWALL_NAME defined as const, but passed to non-const > ZeroMemory --> CLEAR > CopyMemory --> memcpy > > Regards, > > Selva signature.asc Description: OpenPGP digital signature
Re: [Openvpn-devel] [PATCH v3] Notify clients about server's exit/restart
Hi, Since the new server side code does not actually *do* OCC any more we are just #ifdef'ing it to access options->ce.explicit_exit_notify because that one is only compiled in #ifdef ENABLE_OCC ... so we're coupling this new functionality to an #ifdef which is not really relevant. No good suggestion yet, just expressing thoughts... Since connection_entry->explicit_exit_notification is now used also outside of OCC context, I suggest to: 1) Remove #ifdef ENABLE_OCC around it's definition. 2) Fix comment there: /* Explicitly tell peer when we are exiting via OCC_EXIT or control channel [RESTART] message */ 3) Remove (unneeded anymore) #ifdef in multi_process_signal around accessing explicit_exit_notification. What do you think? -Lev
Re: [Openvpn-devel] [PATCH v2] Add Windows DNS Leak fix using WFP ('block-outside-dns')
Hi,
Here are some comments on the code -- there is one apparent memory leak
(see below).
.\"*
> .TP
> +.B \-\-block\-outside\-dns
> +Block external DNS servers on other network adapters to prevent
>
the word "external" is not required nor appropriate as it blocks all, isn't
it?
> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -1468,6 +1468,22 @@ do_open_tun (struct context *c)
>"up",
>c->c2.es);
> +#if _WIN32_WINNT >= 0x0600
> + if (c->options.block_outside_dns)
> + {
> + if (!win_wfp_init())
> +msg (M_NONFATAL, "Initialising WFP failed!");
> +else
> +{
> +dmsg (D_LOW, "Blocking outside DNS");
> +if (!win_wfp_block_dns(c->c1.tuntap->adapter_index))
> +msg (M_NONFATAL, "Blocking DNS failed!");
> +}
> + }
> + else
> + msg (M_NONFATAL, "Can't block outside DNS without configured
> DNS server");
>
This error/warning is unnecessary and confusing. If the user does not want
to block-outside-dns, why say "can't block"? And why the "without
configured DNS server" remark?
in win32.c
+
+ret = ConvertInterfaceIndexToLuid(index, );
+if (ret == NO_ERROR)
+dmsg (D_LOW, "Tap Luid: %I64d", tapluid.Value);
+
Is it safe to ignore the ret != NO_ERROR case? May be it is...
+
> +/* Get OpenVPN path. */
> +GetModuleFileNameW(NULL, openvpnpath, MAX_PATH);
> +
> +if (FwpmGetAppIdFromFileName0(openvpnpath, ) !=
> ERROR_SUCCESS)
>
openvpnblob is allocated here, but not freed anywhere. Need to free it
before return.
Finally, to nitpick,
There are a couple of unused variables
Some local vars could be eliminated (rpcStatus, dwFwAPIRetCode, ret)
FIREWALL_NAME defined as const, but passed to non-const
ZeroMemory --> CLEAR
CopyMemory --> memcpy
Regards,
Selva
