id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 1390,mlock without raising lock limit may result in DoS for the entire system,zugschlus,,"Hi, when mlock is enabled without appropropriately raising the Memlock limit, the OpenVPN daemon might encounter an out of memory situation. This is documented and expected. However, the daemon can report this situation up to (but probably not limited to) 13000 times a second, at the emergency severity. With most syslog daemons being configured to send emergency messages to everybody logged in, this situation is impossible to fix. A simple user error thus results in a DoS that can only be remedied by a hard shutdown (I experienced this on an embedded system that didn't even respond to MagicSysRq even tough it was supposed to). I know this is a clear user error, and I am not even sure whether it was OpenVPN itself or some other part of the system that went havoc in the situation. On the OpenVPN side, would it be possible to rate limit the out of memory message? Additionally, I suspect that after a failed malloc, the daemon's state is pretty much toast anyway, so it would probably not hurt to just terminate? Thanks to the joy of automation, the faulty configuration was rolled out to all my OpenVPN clients and can therefore confirm that the issue happens on x86_64 and the ARM architecture, and both with OpenVPN 2.5.1, the version in Debian unstable, as well as 2.4.7 on Debian stable. Thanks for your consideration. Greetings Marc Log Entries: Mar 6 16:13:34 drop ovpn-zg2-client[3196285]: TLS: soft reset sec=3600/3600 bytes=420861444/-1 pkts=534573/0 Mar 6 16:13:34 drop ovpn-zg2-client[3196285]: OpenSSL: error:07064041:memory buffer routines:BUF_MEM_grow:malloc failure Mar 6 16:13:34 drop ovpn-zg2-client[3196285]: OpenSSL: error:14161044:SSL routines:state_machine:internal error Mar 6 16:13:34 drop ovpn-zg2-client[3196285]: TLS_ERROR: BIO read tls_read_plaintext error Mar 6 16:13:34 drop ovpn-zg2-client[3196285]: TLS Error: TLS object -> incoming plaintext read error Mar 6 16:13:34 drop ovpn-zg2-client[3196285]: TLS Error: TLS handshake failed Mar 6 16:13:34 drop ovpn-zg2-client[3196285]: TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1 Mar 6 16:13:34 drop t of memory [3196285] Mar 6 16:13:34 drop t of memory [3196285] Mar 6 16:13:34 drop t of memory [3196285] Mar 6 16:13:34 drop t of memory [3196285] Mar 6 16:13:34 drop t of memory [3196285] (many thousands more not copied). ",Bug / Defect,closed,minor,release 2.6,Generic / unclassified,OpenVPN 2.5.0 (Community Ed),"Not set (select this one, unless your'e a OpenVPN developer)",fixed,,