forward: Fix potential unaligned access in drop_if_recursive_routing

ASAN error: forward.c:1433:13: runtime error: member access within misaligned address 0x51e00002f52e for type 'const struct in6_addr', which requires 4 byte alignment replace IN6_ARE_ADDR_EQUAL() which uses 32bit compares on Linux - alignment sensitive - with our own OPENVPN_IN6_ARE_ADDR_EQUAL() macro, which always does memcpy() and does not care for alignment. v2: Use memcmp instead of memcpy Change-Id: I74a9eec4954f3f9d208792b6b34357571f76ae4c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20241211171349.8892-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30074.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 387c2076af14a0f1ba97b6ca0175d81d1e8391a5)
2025-05-09 21:51:05 +08:00 · 2024-12-11 18:13:48 +01:00 · 2024-12-11 18:13:48 +01:00 · 62d41dec8d
commit 62d41dec8d
parent 6d64fa4bff
2 changed files with 11 additions and 8 deletions
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@ -1379,8 +1379,6 @@ drop_if_recursive_routing(struct context *c, struct buffer *buf)

    if (proto_ver == 4)
    {
-        const struct openvpn_iphdr *pip;
-
        /* make sure we got whole IP header */
        if (BLEN(buf) < ((int) sizeof(struct openvpn_iphdr) + ip_hdr_offset))
        {
@ -1393,18 +1391,16 @@ drop_if_recursive_routing(struct context *c, struct buffer *buf)
            return;
        }

-        pip = (struct openvpn_iphdr *) (BPTR(buf) + ip_hdr_offset);
+        struct openvpn_iphdr *pip = (struct openvpn_iphdr *) (BPTR(buf) + ip_hdr_offset);

        /* drop packets with same dest addr as gateway */
-        if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr)
+        if (memcmp(&tun_sa.addr.in4.sin_addr.s_addr, &pip->daddr, sizeof(pip->daddr)) == 0)
        {
            drop = true;
        }
    }
    else if (proto_ver == 6)
    {
-        const struct openvpn_ipv6hdr *pip6;
-
        /* make sure we got whole IPv6 header */
        if (BLEN(buf) < ((int) sizeof(struct openvpn_ipv6hdr) + ip_hdr_offset))
        {
@ -1417,9 +1413,10 @@ drop_if_recursive_routing(struct context *c, struct buffer *buf)
            return;
        }

+        struct openvpn_ipv6hdr *pip6 = (struct openvpn_ipv6hdr *) (BPTR(buf) + ip_hdr_offset);
+
        /* drop packets with same dest addr as gateway */
-        pip6 = (struct openvpn_ipv6hdr *) (BPTR(buf) + ip_hdr_offset);
-        if (IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr))
+        if (OPENVPN_IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr))
        {
            drop = true;
        }
--- a/src/openvpn/proto.h
+++ b/src/openvpn/proto.h
@ -103,6 +103,12 @@ struct openvpn_arp {
    in_addr_t ip_dest;
 };

+/** Version of IN6_ARE_ADDR_EQUAL that is guaranteed to work for
+ *  unaligned access. E.g. Linux uses 32bit compares which are
+ *  not safe if the struct is unaligned. */
+#define OPENVPN_IN6_ARE_ADDR_EQUAL(a, b) \
+    (memcmp(a, b, sizeof(struct in6_addr)) == 0)
+
 struct openvpn_iphdr {
 #define OPENVPN_IPH_GET_VER(v) (((v) >> 4) & 0x0F)
 #define OPENVPN_IPH_GET_LEN(v) (((v) & 0x0F) << 2)