Module Name: src
Committed By: riastradh
Date: Sun Jan 16 20:43:20 UTC 2022
Modified Files:
src/sys/net: if_wg.c
Log Message:
wg(4): Limit the size of ifdrv requests.
Avoids potential integer overflow or kernel memory exhaustion.
Reported by Thomas Leroy a while back.
To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.68 src/sys/net/if_wg.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/if_wg.c
diff -u src/sys/net/if_wg.c:1.67 src/sys/net/if_wg.c:1.68
--- src/sys/net/if_wg.c:1.67 Fri Dec 31 14:25:24 2021
+++ src/sys/net/if_wg.c Sun Jan 16 20:43:20 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: if_wg.c,v 1.67 2021/12/31 14:25:24 riastradh Exp $ */
+/* $NetBSD: if_wg.c,v 1.68 2022/01/16 20:43:20 riastradh Exp $ */
/*
* Copyright (C) Ryota Ozaki <ozaki.ry...@gmail.com>
@@ -41,7 +41,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.67 2021/12/31 14:25:24 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.68 2022/01/16 20:43:20 riastradh Exp $");
#ifdef _KERNEL_OPT
#include "opt_altq_enabled.h"
@@ -271,6 +271,9 @@ wg_dump_hash(const uint8_t *func, const
#define WG_DUMP_BUF(buf, size) __nothing
#endif /* WG_DEBUG_DUMP */
+/* chosen somewhat arbitrarily -- fits in signed 16 bits NUL-termintaed */
+#define WG_MAX_PROPLEN 32766
+
#define WG_MTU 1420
#define WG_ALLOWEDIPS 16
@@ -4283,6 +4286,8 @@ wg_alloc_prop_buf(char **_buf, struct if
char *buf;
WG_DLOG("buf=%p, len=%lu\n", ifd->ifd_data, ifd->ifd_len);
+ if (ifd->ifd_len >= WG_MAX_PROPLEN)
+ return E2BIG;
buf = kmem_alloc(ifd->ifd_len + 1, KM_SLEEP);
error = copyin(ifd->ifd_data, buf, ifd->ifd_len);
if (error != 0)
