Opened 6 years ago

Closed 6 years ago

#297 closed Bug / Defect (fixed)

unable to create a tunnel over UDP

Reported by: danta Owned by: Gert Döring
Priority: critical Milestone:
Component: Networking Version: OpenVPN 2.3.1 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

We just tried to upgrade from openvpn 2.2.2 to 2.3.1.
After upgrade we noticed that creating a tunnel over UDP fails and the following messages are logged:

10.32.64.229:1255 write UDPv4: Invalid argument (code=22)

stracing the problem brought us to

30929 sendmsg(6, {msg_name(16)={sa_family=AF_INET, sin_port=htons(1127), sin_addr=inet_addr("10.32.64.229")}, msg_iov(1)=[{"@\31\31}/\327b\2,\1\0\0\0\0\367O\242U\352<it\0\0\0\0", 26}], msg_controllen=24, {cmsg_len=2, cmsg_level=0x8c4ef00 /* SOL_??? */, cmsg_type=, ...}, msg_flags=0}, 0) = -1 EINVAL (Invalid argument)

It looks as if 'cmsg_len' and 'cmsg_level' are set incorrectly.
Trying to debug the problem with gdb we made a build with no optimizations (gcc 4.7.2 with -O0). With that build the problem goes away and everything seems to work.

Further digging brought us to src/openvpn/socket.c:2782 function link_socket_write_udp_posix_sendmsg

  struct iovec iov;
  struct msghdr mesg;
  struct cmsghdr *cmsg;
...
     {
        struct openvpn_in4_pktinfo msgpi4;
...
        mesg.msg_control = &msgpi4;
        mesg.msg_controllen = sizeof msgpi4;
...
        cmsg = CMSG_FIRSTHDR (&mesg);
        cmsg->cmsg_len = sizeof (struct openvpn_in4_pktinfo);
...
    }
  return sendmsg (sock->sd, &mesg, 0);

A pointer to a local variable msgpi4 is stored in mesg.msg_control and is later used by sendmsg(...) after it's been already destroyed.

I will attached a patch that solves the problem for us.

Attachments (1)

openvpn-2.3.1-udp-send.patch (1.4 KB) - added by danta 6 years ago.

Download all attachments as: .zip

Change History (4)

Changed 6 years ago by danta

comment:1 Changed 6 years ago by Gert Döring

Owner: set to Gert Döring
Status: newaccepted

Thanks for the report and patch. Yes, this code looks very much broken.

I'll look a bit more closely into your patch to understand what the union involved does, and will then commit it. If you want to be named as patch author, I'd need your name & mail address... (per private mail to gert <at> greenie.muc.de if you don't want it here in the open)

Last edited 6 years ago by Gert Döring (previous) (diff)

comment:2 Changed 6 years ago by danta

The union was copied from link_socket_read_udp_posix_recvmsg.
Just wanted to create a openvpn_in4_pktinfo or openvpn_in6_pktinfo on the stack and not both. This seemed the easiest.

comment:3 Changed 6 years ago by Gert Döring

Resolution: fixed
Status: acceptedclosed

patch has been committed to master and release/2.3

8c431f960357d776cfd0961192214ad1b0942bfb (master)
02d027fd797a2ebfe846bd70d10cb4234cad957a (release/2.3)

thanks!

Note: See TracTickets for help on using tickets.