dco_linux: ensure all client disconnects are processed

Stefan Baranoff · Stefan Baranoff · commit 48a571bcdbf2 · 2025-11-02T14:36:19.000Z
Under Linux DCO , netlink can return multiple messages in one call. The
receive calls in use call a callback once per message. Previously each
callback call would update flags on a global `dco` object. This was
based on two assumptions:
1. Only one code path would lead to a netlink receive call that would
   result in finding out a client disconnected. This path was set to
   handle the flags properly.
2. Each receive call would only trigger one callback that was setting
   the single set of flags on that global object.
Both of these are false assumptions.

Any receive call to netlink (e.g. to get stats) can result in receiving
"unrelated" messages, like client disconnects. A previous patch at least
unified the callbacks to handle running the proper callback code, but
that doesn't resolve the issue that the stats gathering path does not
have the code to handle a client disconnect.

Multiple messages can be processed in a single receive call, so if two
or more devices disconnect then a single read call will result in only
the last of the messages setting flags (overwriting the other callback
values set previously) and only that device is processed for
disconnection in user space.

This patch resolves both by handling the disconnect logic directly in
the netlink callback rather than setting flags and handling it later.
diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
@@ -984,23 +984,87 @@ ovpn_handle_msg(struct nl_msg *msg, void *arg)
                 return NL_SKIP;
             }
             int reason = nla_get_u8(dp_attrs[OVPN_DEL_PEER_ATTR_REASON]);
-            unsigned int peerid = nla_get_u32(dp_attrs[OVPN_DEL_PEER_ATTR_PEER_ID]);
+            unsigned int peer_id = nla_get_u32(dp_attrs[OVPN_DEL_PEER_ATTR_PEER_ID]);
 
             msg(D_DCO_DEBUG, "ovpn-dco: received CMD_DEL_PEER, ifindex: %d, peer-id %d, reason: %d",
-                ifindex, peerid, reason);
-            dco->dco_message_peer_id = peerid;
-            dco->dco_del_peer_reason = reason;
-            dco->dco_message_type = OVPN_CMD_DEL_PEER;
+                ifindex, peer_id, reason);
 
-            break;
+            if (dco->c->mode == CM_TOP)
+            {
+                struct multi_context *m = dco->c->multi;
+                struct multi_instance *mi = NULL;
+
+                /* no peer-specific message delivered -> nothing to process.
+                 * bail out right away
+                 */
+                if (peer_id < 0)
+                {
+                    return NL_SKIP;
+                }
+
+                if ((peer_id < m->max_clients) && (m->instances[peer_id]))
+                {
+                    mi = m->instances[peer_id];
+                    set_prefix(mi);
+                    dco->dco_del_peer_reason = reason;
+                    process_incoming_del_peer(m, mi, dco);
+                    clear_prefix();
+                }
+                else
+                {
+                    int msglevel = D_DCO;
+                    if (reason == OVPN_DEL_PEER_REASON_USERSPACE)
+                    {
+                        /* we receive OVPN_CMD_DEL_PEER message with reason USERSPACE
+                         * after we kill the peer ourselves. This peer may have already
+                         * been deleted, so we end up here.
+                         * In this case, print the following debug message with DCO_DEBUG
+                         * level only to avoid polluting the standard DCO level with this
+                         * harmless event.
+                         */
+                        msglevel = D_DCO_DEBUG;
+                    }
+                    msg(msglevel, "Received DCO message for unknown peer-id: %d, "
+                        "type %d, del_peer_reason %d", peer_id, OVPN_CMD_DEL_PEER,
+                        reason);
+                }
+
+            }
+            else
+            {
+                /* FreeBSD currently sends us removal notifcation with the old peer-id in
+                 * p2p mode with the ping timeout reason, so ignore that one to not shoot
+                 * ourselves in the foot and removing the just established session */
+                if (peer_id != dco->c->c2.tls_multi->dco_peer_id)
+                {
+                    msg(D_DCO_DEBUG, "%s: received message for mismatching peer-id %d, "
+                        "expected %d", __func__, peer_id,
+                        dco->c->c2.tls_multi->dco_peer_id);
+                    return NL_SKIP;
+                }
+                if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED)
+                {
+                    msg(D_DCO_DEBUG, "%s: received peer expired notification of for peer-id "
+                        "%d", __func__, peer_id);
+                    trigger_ping_timeout_signal(dco->c);
+                    return NL_SKIP;
+                }
+            }
         }
+        break;
 
         default:
             msg(D_DCO, "ovpn-dco: received unknown command: %d", gnlh->cmd);
             dco->dco_message_type = 0;
             return NL_SKIP;
     }
 
+    dco->dco_message_type = 0;
+    dco->dco_message_peer_id = -1;
+    dco->dco_del_peer_reason = -1;
+    dco->dco_read_bytes = 0;
+    dco->dco_write_bytes = 0;
+
     return NL_OK;
 }
 
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
@@ -1290,16 +1290,6 @@ process_incoming_dco(struct context *c)
 
     switch (dco->dco_message_type)
     {
-        case OVPN_CMD_DEL_PEER:
-            if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED)
-            {
-                msg(D_DCO_DEBUG, "%s: received peer expired notification of for peer-id "
-                    "%d", __func__, dco->dco_message_peer_id);
-                trigger_ping_timeout_signal(c);
-                return;
-            }
-            break;
-
         case OVPN_CMD_SWAP_KEYS:
             msg(D_DCO_DEBUG, "%s: received key rotation notification for peer-id %d",
                 __func__, dco->dco_message_peer_id);
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
@@ -3244,7 +3244,7 @@ multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const
 #endif
 
 #if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))
-static void
+void
 process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi,
                           dco_context_t *dco)
 {
@@ -3311,9 +3311,9 @@ multi_process_incoming_dco(struct multi_context *m)
     {
         mi = m->instances[peer_id];
         set_prefix(mi);
-        if (dco->dco_message_type == OVPN_CMD_DEL_PEER)
+        if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
         {
-            process_incoming_del_peer(m, mi, dco);
+            tls_session_soft_reset(mi->context.c2.tls_multi);
         }
 #if defined(TARGET_FREEBSD)
         else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER)
@@ -3326,28 +3326,11 @@ multi_process_incoming_dco(struct multi_context *m)
             CLEAR(dco->dco_float_peer_ss);
         }
 #endif /* if defined(TARGET_LINUX) || defined(TARGET_WIN32) */
-        else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
-        {
-            tls_session_soft_reset(mi->context.c2.tls_multi);
-        }
         clear_prefix();
     }
     else
     {
-        int msglevel = D_DCO;
-        if (dco->dco_message_type == OVPN_CMD_DEL_PEER
-            && dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_USERSPACE)
-        {
-            /* we receive OVPN_CMD_DEL_PEER message with reason USERSPACE
-             * after we kill the peer ourselves. This peer may have already
-             * been deleted, so we end up here.
-             * In this case, print the following debug message with DCO_DEBUG
-             * level only to avoid polluting the standard DCO level with this
-             * harmless event.
-             */
-            msglevel = D_DCO_DEBUG;
-        }
-        msg(msglevel, "Received DCO message for unknown peer-id: %d, "
+        msg(D_DCO, "Received DCO message for unknown peer-id: %d, "
             "type %d, del_peer_reason %d", peer_id, dco->dco_message_type,
             dco->dco_del_peer_reason);
     }
diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h
@@ -43,6 +43,11 @@
 
 #define MULTI_PREFIX_MAX_LENGTH 256
 
+
+void
+process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi,
+                          dco_context_t *dco);
+
 /*
  * Walk (don't run) through the routing table,
  * deleting old entries, and possibly multi_instance
