CVS commit: src/sys/net

Fri, 25 Mar 2022 01:57:57 -0700 

Module Name:    src
Committed By:   hannken
Date:           Fri Mar 25 08:57:51 UTC 2022

Modified Files:
        src/sys/net: if_wg.c

Log Message:
Prevent memory corruption from wg_send_handshake_msg_init() on
LP64 machines with "MSIZE == 256", sparc64 for example.

wg_send_handshake_msg_init() tries to put 148 bytes into a buffer
of 144 bytes and overwrites 4 bytes following the mbuf.  Check
for "sizeof() > MHLEN" and use a cluster in this case.

With help from Taylor R Campbell <riastradh@>


To generate a diff of this commit:
cvs rdiff -u -r1.68 -r1.69 src/sys/net/if_wg.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/net/if_wg.c
diff -u src/sys/net/if_wg.c:1.68 src/sys/net/if_wg.c:1.69
--- src/sys/net/if_wg.c:1.68	Sun Jan 16 20:43:20 2022
+++ src/sys/net/if_wg.c	Fri Mar 25 08:57:50 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_wg.c,v 1.68 2022/01/16 20:43:20 riastradh Exp $	*/
+/*	$NetBSD: if_wg.c,v 1.69 2022/03/25 08:57:50 hannken Exp $	*/
 
 /*
  * Copyright (C) Ryota Ozaki <ozaki.ry...@gmail.com>
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.68 2022/01/16 20:43:20 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.69 2022/03/25 08:57:50 hannken Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq_enabled.h"
@@ -1707,6 +1707,10 @@ wg_send_handshake_msg_init(struct wg_sof
 	wgs->wgs_state = WGS_STATE_INIT_ACTIVE;
 
 	m = m_gethdr(M_WAIT, MT_DATA);
+	if (sizeof(*wgmi) > MHLEN) {
+		m_clget(m, M_WAIT);
+		CTASSERT(sizeof(*wgmi) <= MCLBYTES);
+	}
 	m->m_pkthdr.len = m->m_len = sizeof(*wgmi);
 	wgmi = mtod(m, struct wg_msg_init *);
 	wg_fill_msg_init(wg, wgp, wgs, wgmi);
@@ -2056,6 +2060,10 @@ wg_send_handshake_msg_resp(struct wg_sof
 	KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE);
 
 	m = m_gethdr(M_WAIT, MT_DATA);
+	if (sizeof(*wgmr) > MHLEN) {
+		m_clget(m, M_WAIT);
+		CTASSERT(sizeof(*wgmr) <= MCLBYTES);
+	}
 	m->m_pkthdr.len = m->m_len = sizeof(*wgmr);
 	wgmr = mtod(m, struct wg_msg_resp *);
 	wg_fill_msg_resp(wg, wgp, wgs, wgmr, wgmi);
@@ -2154,6 +2162,10 @@ wg_send_cookie_msg(struct wg_softc *wg, 
 	KASSERT(mutex_owned(wgp->wgp_lock));
 
 	m = m_gethdr(M_WAIT, MT_DATA);
+	if (sizeof(*wgmc) > MHLEN) {
+		m_clget(m, M_WAIT);
+		CTASSERT(sizeof(*wgmc) <= MCLBYTES);
+	}
 	m->m_pkthdr.len = m->m_len = sizeof(*wgmc);
 	wgmc = mtod(m, struct wg_msg_cookie *);
 	wg_fill_msg_cookie(wg, wgp, wgmc, sender, mac1, src);

Reply via email to