1. openvpn
  2. Commit e8e1377d0fc3f11b65e415b68e6065d2e9eb836e
Browse code

Support for disabled peer-id

v5:
* Few more nickpicks

v4:
* replace magic number with define
* show user a decimal value instead of hex

v3:
* move assert outside of loop
* add max-clients value check to options

v2:
* Add round brackets for clarity
* Rephrase comment

Support for disabled peer-id

When peer-id value is 0xFFFFFF, server should ignore it and treat packet
in a same way as P_DATA_V1.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1474181496-24846-1-git-send-email-lstipakov@gmail.com>
URL: http://www.mail-archive.com/search?l=mid&q=1474181496-24846-1-git-send-email-lstipakov@gmail.com

Signed-off-by: Gert Doering <gert@greenie.muc.de>

Lev Stipakov authored on 2016/09/18 15:51:36
Showing 4 changed files
src/openvpn/mudp.c
History View file @ e8e1377
... ... 
@@ -64,12 +64,16 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated)
64 64 
       struct hash_bucket *bucket = hash_bucket (hash, hv);
65 65 
       uint8_t* ptr = BPTR(&m->top.c2.buf);
66 66 
       uint8_t op = ptr[0] >> P_OPCODE_SHIFT;
67 
+      bool v2 = (op == P_DATA_V2) && (m->top.c2.buf.len >= (1 + 3));
68 
+      bool peer_id_disabled = false;
67 69
68 70 
       /* make sure buffer has enough length to read opcode (1 byte) and peer-id (3 bytes) */
69 
-      if (op == P_DATA_V2 && m->top.c2.buf.len >= (1 + 3))
71 
+      if (v2)
70 72 
 	{
71 73 
 	  uint32_t peer_id = ntohl(*(uint32_t*)ptr) & 0xFFFFFF;
72 
-	  if ((peer_id < m->max_clients) && (m->instances[peer_id]))
74 
+	  peer_id_disabled = (peer_id == MAX_PEER_ID);
75 
+
76 
+	  if (!peer_id_disabled && (peer_id < m->max_clients) && (m->instances[peer_id]))
73 77 
 	    {
74 78 
 	      mi = m->instances[peer_id];
75 79
... ... 
@@ -84,7 +88,7 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated)
84 84 
 	      }
85 85 
 	    }
86 86 
 	}
87 
-      else
87 
+      if (!v2 || peer_id_disabled)
88 88 
 	{
89 89 
 	  he = hash_lookup_fast (hash, bucket, &real, hv);
90 90 
 	  if (he)
... ... 
@@ -107,6 +111,9 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated)
107 107 
 		      hash_add_fast (hash, bucket, &mi->real, hv, mi);
108 108 
 		      mi->did_real_hash = true;
109 109
110 
+		      /* max_clients must be less then max peer-id value */
111 
+		      ASSERT(m->max_clients < MAX_PEER_ID);
112 
+
110 113 
 		      for (i = 0; i < m->max_clients; ++i)
111 114 
 			{
112 115 
 			  if (!m->instances[i])
src/openvpn/multi.c
History View file @ e8e1377
... ... 
@@ -605,7 +605,8 @@ multi_close_instance (struct multi_context *m,
605 605 
 	}
606 606 
 #endif
607 607
608 
-      m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
608 
+      if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
609 
+	m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
609 610
610 611 
       schedule_remove_entry (m->schedule, (struct schedule_entry *) mi);
611 612
src/openvpn/openvpn.h
History View file @ e8e1377
... ... 
@@ -595,4 +595,7 @@ struct context
595 595 
 #define CIPHER_ENABLED(c) (false)
596 596 
 #endif
597 597
598 
+/* this represents "disabled peer-id" */
599 
+#define MAX_PEER_ID 0xFFFFFF
600 
+
598 601 
 #endif
src/openvpn/options.c
History View file @ e8e1377
... ... 
@@ -5893,6 +5893,11 @@ add_option (struct options *options,
5893 5893 
 	  msg (msglevel, "--max-clients must be at least 1");
5894 5894 
 	  goto err;
5895 5895 
 	}
5896 
+      if (max_clients >= MAX_PEER_ID) /* max peer-id value */
5897 
+	{
5898 
+	  msg (msglevel, "--max-clients must be less than %d", MAX_PEER_ID);
5899 
+	  goto err;
5900 
+	}
5896 5901 
       options->max_clients = max_clients;
5897 5902 
     }
5898 5903 
   else if (streq (p[0], "max-routes-per-client") && p[1] && !p[2])