Module Name: src
Committed By: riastradh
Date: Tue Oct 8 02:29:40 UTC 2024
Modified Files:
src/sys/net: if_wg.c
src/tests/net/if_wg: t_basic.sh
Log Message:
wg(4): Fix wg_overudp_cb drop paths to null out *mp as caller needs.
PR kern/58688: userland panic of kernel via wg(4)
To generate a diff of this commit:
cvs rdiff -u -r1.131 -r1.132 src/sys/net/if_wg.c
cvs rdiff -u -r1.5 -r1.6 src/tests/net/if_wg/t_basic.sh
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/if_wg.c
diff -u src/sys/net/if_wg.c:1.131 src/sys/net/if_wg.c:1.132
--- src/sys/net/if_wg.c:1.131 Wed Jul 31 00:26:01 2024
+++ src/sys/net/if_wg.c Tue Oct 8 02:29:40 2024
@@ -1,4 +1,4 @@
-/* $NetBSD: if_wg.c,v 1.131 2024/07/31 00:26:01 riastradh Exp $ */
+/* $NetBSD: if_wg.c,v 1.132 2024/10/08 02:29:40 riastradh Exp $ */
/*
* Copyright (C) Ryota Ozaki <[email protected]>
@@ -43,7 +43,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.131 2024/07/31 00:26:01 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.132 2024/10/08 02:29:40 riastradh Exp $");
#ifdef _KERNEL_OPT
#include "opt_altq_enabled.h"
@@ -3662,6 +3662,24 @@ wg_so_upcall(struct socket *so, void *co
mutex_exit(wg->wg_intr_lock);
}
+/*
+ * wg_overudp_cb(&m, offset, so, src, arg)
+ *
+ * Callback for incoming UDP packets in high-priority
+ * packet-processing path.
+ *
+ * Three cases:
+ *
+ * - Data packet. Consumed here for high-priority handling.
+ * => Returns 1 and takes ownership of m.
+ *
+ * - Handshake packet. Defer to thread context via so_receive in
+ * wg_receive_packets.
+ * => Returns 0 and leaves caller with ownership of m.
+ *
+ * - Invalid. Dropped on the floor and freed.
+ * => Returns -1 and takes ownership of m (frees m).
+ */
static int
wg_overudp_cb(struct mbuf **mp, int offset, struct socket *so,
struct sockaddr *src, void *arg)
@@ -3677,7 +3695,8 @@ wg_overudp_cb(struct mbuf **mp, int offs
if (__predict_false(m_length(m) - offset < sizeof(struct wg_msg))) {
/* drop on the floor */
m_freem(m);
- return -1;
+ *mp = NULL;
+ return -1; /* dropped */
}
/*
@@ -3699,21 +3718,24 @@ wg_overudp_cb(struct mbuf **mp, int offs
m_adj(m, offset);
if (__predict_false(m->m_len < sizeof(struct wg_msg_data))) {
m = m_pullup(m, sizeof(struct wg_msg_data));
- if (m == NULL)
- return -1;
+ if (m == NULL) {
+ *mp = NULL;
+ return -1; /* dropped */
+ }
}
wg_handle_msg_data(wg, m, src);
*mp = NULL;
- return 1;
+ return 1; /* consumed */
case WG_MSG_TYPE_INIT:
case WG_MSG_TYPE_RESP:
case WG_MSG_TYPE_COOKIE:
/* pass through to so_receive in wg_receive_packets */
- return 0;
+ return 0; /* passthrough */
default:
/* drop on the floor */
m_freem(m);
- return -1;
+ *mp = NULL;
+ return -1; /* dropped */
}
}
Index: src/tests/net/if_wg/t_basic.sh
diff -u src/tests/net/if_wg/t_basic.sh:1.5 src/tests/net/if_wg/t_basic.sh:1.6
--- src/tests/net/if_wg/t_basic.sh:1.5 Tue Oct 8 02:28:43 2024
+++ src/tests/net/if_wg/t_basic.sh Tue Oct 8 02:29:40 2024
@@ -1,4 +1,4 @@
-# $NetBSD: t_basic.sh,v 1.5 2024/10/08 02:28:43 riastradh Exp $
+# $NetBSD: t_basic.sh,v 1.6 2024/10/08 02:29:40 riastradh Exp $
#
# Copyright (c) 2018 Ryota Ozaki <[email protected]>
# All rights reserved.
@@ -60,8 +60,6 @@ check_badudp()
else
atf_check -o ignore -e ignore \
$HIJACKING nc -6uv -w1 $ip $port </dev/null
- atf_expect_fail "PR kern/58688:" \
- " userland panic of kernel via wg(4)"
fi
}
