Module Name: src Committed By: riastradh Date: Sun Jan 16 20:43:20 UTC 2022
Modified Files: src/sys/net: if_wg.c Log Message: wg(4): Limit the size of ifdrv requests. Avoids potential integer overflow or kernel memory exhaustion. Reported by Thomas Leroy a while back. To generate a diff of this commit: cvs rdiff -u -r1.67 -r1.68 src/sys/net/if_wg.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/net/if_wg.c diff -u src/sys/net/if_wg.c:1.67 src/sys/net/if_wg.c:1.68 --- src/sys/net/if_wg.c:1.67 Fri Dec 31 14:25:24 2021 +++ src/sys/net/if_wg.c Sun Jan 16 20:43:20 2022 @@ -1,4 +1,4 @@ -/* $NetBSD: if_wg.c,v 1.67 2021/12/31 14:25:24 riastradh Exp $ */ +/* $NetBSD: if_wg.c,v 1.68 2022/01/16 20:43:20 riastradh Exp $ */ /* * Copyright (C) Ryota Ozaki <ozaki.ry...@gmail.com> @@ -41,7 +41,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.67 2021/12/31 14:25:24 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.68 2022/01/16 20:43:20 riastradh Exp $"); #ifdef _KERNEL_OPT #include "opt_altq_enabled.h" @@ -271,6 +271,9 @@ wg_dump_hash(const uint8_t *func, const #define WG_DUMP_BUF(buf, size) __nothing #endif /* WG_DEBUG_DUMP */ +/* chosen somewhat arbitrarily -- fits in signed 16 bits NUL-termintaed */ +#define WG_MAX_PROPLEN 32766 + #define WG_MTU 1420 #define WG_ALLOWEDIPS 16 @@ -4283,6 +4286,8 @@ wg_alloc_prop_buf(char **_buf, struct if char *buf; WG_DLOG("buf=%p, len=%lu\n", ifd->ifd_data, ifd->ifd_len); + if (ifd->ifd_len >= WG_MAX_PROPLEN) + return E2BIG; buf = kmem_alloc(ifd->ifd_len + 1, KM_SLEEP); error = copyin(ifd->ifd_data, buf, ifd->ifd_len); if (error != 0)