On 17/01/2025 13:16, Sabrina Dubroca wrote:
2025-01-13, 10:31:28 +0100, Antonio Quartulli wrote:static bool ovpn_encrypt_one(struct ovpn_peer *peer, struct sk_buff *skb) { - ovpn_skb_cb(skb)->peer = peer; + struct ovpn_crypto_key_slot *ks; + + if (unlikely(skb->ip_summed == CHECKSUM_PARTIAL && + skb_checksum_help(skb))) { + net_warn_ratelimited("%s: cannot compute checksum for outgoing packet for peer %u\n", + netdev_name(peer->ovpn->dev), peer->id); + return false; + } + + /* get primary key to be used for encrypting data */ + ks = ovpn_crypto_key_slot_primary(&peer->crypto); + if (unlikely(!ks)) + return false;/* take a reference to the peer because the crypto code may run async.* ovpn_encrypt_post() will release it upon completion @@ -118,7 +244,8 @@ static bool ovpn_encrypt_one(struct ovpn_peer *peer, struct sk_buff *skb)Adding in the few lines that got snipped: /* take a reference to the peer because the crypto code may run async. * ovpn_encrypt_post() will release it upon completion */ if (unlikely(!ovpn_peer_hold(peer))) { DEBUG_NET_WARN_ON_ONCE(1); return false; } This should never happen, but just in case, we'd want ovpn_crypto_key_slot_put() here.
ACK
return false; }
-- Antonio Quartulli OpenVPN Inc.
