CVS commit: src

Taylor R Campbell Wed, 26 Aug 2020 19:53:29 -0700

Module Name:    src
Committed By:   riastradh
Date:           Thu Aug 27 02:52:34 UTC 2020


Modified Files:
        src/sys/net: if_wg.c
        src/tests/net/if_wg: t_misc.sh

Log Message:
wg: Check mbuf chain length before m_copydata.


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 src/sys/net/if_wg.c
cvs rdiff -u -r1.2 -r1.3 src/tests/net/if_wg/t_misc.sh

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/if_wg.c
diff -u src/sys/net/if_wg.c:1.24 src/sys/net/if_wg.c:1.25
--- src/sys/net/if_wg.c:1.24	Wed Aug 26 16:03:41 2020
+++ src/sys/net/if_wg.c	Thu Aug 27 02:52:33 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_wg.c,v 1.24 2020/08/26 16:03:41 riastradh Exp $	*/
+/*	$NetBSD: if_wg.c,v 1.25 2020/08/27 02:52:33 riastradh Exp $	*/
 
 /*
  * Copyright (C) Ryota Ozaki <ozaki.ry...@gmail.com>
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.24 2020/08/26 16:03:41 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.25 2020/08/27 02:52:33 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -2915,9 +2915,25 @@ wg_overudp_cb(struct mbuf **mp, int offs
 
 	WG_TRACE("enter");
 
+	/* Verify the mbuf chain is long enough to have a wg msg header.  */
+	KASSERT(offset <= m_length(m));
+	if (__predict_false(m_length(m) - offset < sizeof(struct wg_msg))) {
+		m_freem(m);
+		return -1;
+	}
+
+	/*
+	 * Copy the message header (32-bit message type) out -- we'll
+	 * worry about contiguity and alignment later.
+	 */
 	m_copydata(m, offset, sizeof(struct wg_msg), &wgm);
 	WG_DLOG("type=%d\n", wgm.wgm_type);
 
+	/*
+	 * Handle DATA packets promptly as they arrive.  Other packets
+	 * may require expensive public-key crypto and are not as
+	 * sensitive to latency, so defer them to the worker thread.
+	 */
 	switch (wgm.wgm_type) {
 	case WG_MSG_TYPE_DATA:
 		m_adj(m, offset);

Index: src/tests/net/if_wg/t_misc.sh
diff -u src/tests/net/if_wg/t_misc.sh:1.2 src/tests/net/if_wg/t_misc.sh:1.3
--- src/tests/net/if_wg/t_misc.sh:1.2	Thu Aug 27 02:51:49 2020
+++ src/tests/net/if_wg/t_misc.sh	Thu Aug 27 02:52:33 2020
@@ -1,4 +1,4 @@
-#	$NetBSD: t_misc.sh,v 1.2 2020/08/27 02:51:49 riastradh Exp $
+#	$NetBSD: t_misc.sh,v 1.3 2020/08/27 02:52:33 riastradh Exp $
 #
 # Copyright (c) 2018 Ryota Ozaki <ozaki.ry...@gmail.com>
 # All rights reserved.
@@ -588,6 +588,78 @@ wg_psk_cleanup()
 	cleanup
 }
 
+atf_test_case wg_malformed cleanup
+wg_malformed_head()
+{
+
+	atf_set "descr" "tests malformed packet headers"
+	atf_set "require.progs" "nc" "rump_server" "wgconfig" "wg-keygen"
+	atf_set "timeout" "10"
+}
+
+wg_malformed_body()
+{
+	local ifconfig="atf_check -s exit:0 rump.ifconfig"
+	local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w 1"
+	local ip_local=192.168.1.1
+	local ip_peer=192.168.1.2
+	local ip_wg_local=10.0.0.1
+	local ip_wg_peer=10.0.0.2
+	local port=51820
+	setup_servers
+
+	# It sets key_priv_local key_pub_local key_priv_peer key_pub_peer
+	generate_keys
+
+	export RUMP_SERVER=$SOCK_LOCAL
+	setup_common shmif0 inet $ip_local 24
+	setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local"
+
+	export RUMP_SERVER=$SOCK_PEER
+	setup_common shmif0 inet $ip_peer 24
+	setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer"
+
+	export RUMP_SERVER=$SOCK_LOCAL
+	add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32
+
+	export RUMP_SERVER=$SOCK_PEER
+	add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32
+
+	export RUMP_SERVER=$SOCK_LOCAL
+
+	$ping $ip_wg_peer
+
+	printf 'send malformed packets\n'
+
+	$HIJACKING ping -c 1 -n $ip_peer
+
+	printf 'x' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+	printf 'xy' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+	printf 'xyz' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+	printf 'xyzw' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+	printf '\x00\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+	printf '\x00\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+	printf '\x01\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+	printf '\x01\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+	printf '\x02\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+	printf '\x02\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+	printf '\x03\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+	printf '\x03\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+	printf '\x04\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+	printf '\x04\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+
+	printf 'done sending malformed packets\n'
+
+	$ping $ip_wg_peer
+}
+
+wg_malformed_cleanup()
+{
+
+	$DEBUG && dump
+	cleanup
+}
+
 atf_init_test_cases()
 {
 
@@ -597,4 +669,5 @@ atf_init_test_cases()
 	atf_add_test_case wg_mobility
 	atf_add_test_case wg_keepalive
 	atf_add_test_case wg_psk
+	atf_add_test_case wg_malformed
 }

CVS commit: src

Reply via email to