forward: Fix potential unaligned access in drop_if_recursive_routing
ASAN error:
forward.c:1433:13: runtime error: member access within misaligned
address 0x51e00002f52e for type 'const struct in6_addr', which
requires 4 byte alignment
replace IN6_ARE_ADDR_EQUAL() which uses 32bit compares on Linux - alignment
sensitive - with our own OPENVPN_IN6_ARE_ADDR_EQUAL() macro, which always
does memcpy() and does not care for alignment.
v2: Use memcmp instead of memcpy
Change-Id: I74a9eec4954f3f9d208792b6b34357571f76ae4c
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241211171349.8892-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30074.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 387c2076af14a0f1ba97b6ca0175d81d1e8391a5)
Frank Lichtenheld authored on 2024/12/12 02:13:48Showing 2 changed files
| ... | ... |
@@ -1379,8 +1379,6 @@ drop_if_recursive_routing(struct context *c, struct buffer *buf) |
| 1379 | 1379 |
|
| 1380 | 1380 |
if (proto_ver == 4) |
| 1381 | 1381 |
{
|
| 1382 |
- const struct openvpn_iphdr *pip; |
|
| 1383 |
- |
|
| 1384 | 1382 |
/* make sure we got whole IP header */ |
| 1385 | 1383 |
if (BLEN(buf) < ((int) sizeof(struct openvpn_iphdr) + ip_hdr_offset)) |
| 1386 | 1384 |
{
|
| ... | ... |
@@ -1393,18 +1391,16 @@ drop_if_recursive_routing(struct context *c, struct buffer *buf) |
| 1393 | 1393 |
return; |
| 1394 | 1394 |
} |
| 1395 | 1395 |
|
| 1396 |
- pip = (struct openvpn_iphdr *) (BPTR(buf) + ip_hdr_offset); |
|
| 1396 |
+ struct openvpn_iphdr *pip = (struct openvpn_iphdr *) (BPTR(buf) + ip_hdr_offset); |
|
| 1397 | 1397 |
|
| 1398 | 1398 |
/* drop packets with same dest addr as gateway */ |
| 1399 |
- if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr) |
|
| 1399 |
+ if (memcmp(&tun_sa.addr.in4.sin_addr.s_addr, &pip->daddr, sizeof(pip->daddr)) == 0) |
|
| 1400 | 1400 |
{
|
| 1401 | 1401 |
drop = true; |
| 1402 | 1402 |
} |
| 1403 | 1403 |
} |
| 1404 | 1404 |
else if (proto_ver == 6) |
| 1405 | 1405 |
{
|
| 1406 |
- const struct openvpn_ipv6hdr *pip6; |
|
| 1407 |
- |
|
| 1408 | 1406 |
/* make sure we got whole IPv6 header */ |
| 1409 | 1407 |
if (BLEN(buf) < ((int) sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset)) |
| 1410 | 1408 |
{
|
| ... | ... |
@@ -1417,9 +1413,10 @@ drop_if_recursive_routing(struct context *c, struct buffer *buf) |
| 1417 | 1417 |
return; |
| 1418 | 1418 |
} |
| 1419 | 1419 |
|
| 1420 |
+ struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *) (BPTR(buf) + ip_hdr_offset); |
|
| 1421 |
+ |
|
| 1420 | 1422 |
/* drop packets with same dest addr as gateway */ |
| 1421 |
- pip6 = (struct openvpn_ipv6hdr *) (BPTR(buf) + ip_hdr_offset); |
|
| 1422 |
- if (IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr)) |
|
| 1423 |
+ if (OPENVPN_IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr)) |
|
| 1423 | 1424 |
{
|
| 1424 | 1425 |
drop = true; |
| 1425 | 1426 |
} |
| ... | ... |
@@ -103,6 +103,12 @@ struct openvpn_arp {
|
| 103 | 103 |
in_addr_t ip_dest; |
| 104 | 104 |
}; |
| 105 | 105 |
|
| 106 |
+/** Version of IN6_ARE_ADDR_EQUAL that is guaranteed to work for |
|
| 107 |
+ * unaligned access. E.g. Linux uses 32bit compares which are |
|
| 108 |
+ * not safe if the struct is unaligned. */ |
|
| 109 |
+#define OPENVPN_IN6_ARE_ADDR_EQUAL(a, b) \ |
|
| 110 |
+ (memcmp(a, b, sizeof(struct in6_addr)) == 0) |
|
| 111 |
+ |
|
| 106 | 112 |
struct openvpn_iphdr {
|
| 107 | 113 |
#define OPENVPN_IPH_GET_VER(v) (((v) >> 4) & 0x0F) |
| 108 | 114 |
#define OPENVPN_IPH_GET_LEN(v) (((v) & 0x0F) << 2) |