Abort client-connect handler loop after first handler sets 'disable'.

The old code would run all (succeeding) handlers, then discover "one of
them set the 'disable' flag for this client", and then unroll all the
handlers.

Moving the 'disable' check into the loop makes it stop after the first
handler that fails or (succeeds and sets 'disable').  This is a bit
more logical in the log files, and has less potential side effects
due to running "later" client-connect handlers when we already know
they will have to be unrolled.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200727183436.6625-2-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20612.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index cfb34720d3928b05ac3387922d3bd16bab01d33f..0f9c586bef40569346af67dd2b6fadd24c84dc2a 100644 (file)
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -2617,18 +2617,18 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi)
                 ASSERT(0);
         }
 
-        (*cur_handler_index)++;
-    }
+        /*
+         * Check for "disable" directive in client-config-dir file
+         * or config file generated by --client-connect script.
+         */
+        if (mi->context.options.disable)
+        {
+            msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to "
+                "'disable' directive");
+            cc_succeeded = false;
+        }
 
-    /*
-     * Check for "disable" directive in client-config-dir file
-     * or config file generated by --client-connect script.
-     */
-    if (mi->context.options.disable)
-    {
-        msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to "
-            "'disable' directive");
-        cc_succeeded = false;
+        (*cur_handler_index)++;
     }
 
     if (cc_succeeded)