Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/net Prevent memory corruption from wg_send_handshake_msg...
details: https://anonhg.NetBSD.org/src/rev/1651de1ca3b2
branches: trunk
changeset: 364442:1651de1ca3b2
user: hannken <hannken%NetBSD.org@localhost>
date: Fri Mar 25 08:57:50 2022 +0000
description:
Prevent memory corruption from wg_send_handshake_msg_init() on
LP64 machines with "MSIZE == 256", sparc64 for example.
wg_send_handshake_msg_init() tries to put 148 bytes into a buffer
of 144 bytes and overwrites 4 bytes following the mbuf. Check
for "sizeof() > MHLEN" and use a cluster in this case.
With help from Taylor R Campbell <riastradh@>
diffstat:
sys/net/if_wg.c | 16 ++++++++++++++--
1 files changed, 14 insertions(+), 2 deletions(-)
diffs (51 lines):
diff -r c26689b257ce -r 1651de1ca3b2 sys/net/if_wg.c
--- a/sys/net/if_wg.c Fri Mar 25 08:57:15 2022 +0000
+++ b/sys/net/if_wg.c Fri Mar 25 08:57:50 2022 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: if_wg.c,v 1.68 2022/01/16 20:43:20 riastradh Exp $ */
+/* $NetBSD: if_wg.c,v 1.69 2022/03/25 08:57:50 hannken Exp $ */
/*
* Copyright (C) Ryota Ozaki <ozaki.ryota%gmail.com@localhost>
@@ -41,7 +41,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.68 2022/01/16 20:43:20 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.69 2022/03/25 08:57:50 hannken Exp $");
#ifdef _KERNEL_OPT
#include "opt_altq_enabled.h"
@@ -1707,6 +1707,10 @@
wgs->wgs_state = WGS_STATE_INIT_ACTIVE;
m = m_gethdr(M_WAIT, MT_DATA);
+ if (sizeof(*wgmi) > MHLEN) {
+ m_clget(m, M_WAIT);
+ CTASSERT(sizeof(*wgmi) <= MCLBYTES);
+ }
m->m_pkthdr.len = m->m_len = sizeof(*wgmi);
wgmi = mtod(m, struct wg_msg_init *);
wg_fill_msg_init(wg, wgp, wgs, wgmi);
@@ -2056,6 +2060,10 @@
KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE);
m = m_gethdr(M_WAIT, MT_DATA);
+ if (sizeof(*wgmr) > MHLEN) {
+ m_clget(m, M_WAIT);
+ CTASSERT(sizeof(*wgmr) <= MCLBYTES);
+ }
m->m_pkthdr.len = m->m_len = sizeof(*wgmr);
wgmr = mtod(m, struct wg_msg_resp *);
wg_fill_msg_resp(wg, wgp, wgs, wgmr, wgmi);
@@ -2154,6 +2162,10 @@
KASSERT(mutex_owned(wgp->wgp_lock));
m = m_gethdr(M_WAIT, MT_DATA);
+ if (sizeof(*wgmc) > MHLEN) {
+ m_clget(m, M_WAIT);
+ CTASSERT(sizeof(*wgmc) <= MCLBYTES);
+ }
m->m_pkthdr.len = m->m_len = sizeof(*wgmc);
wgmc = mtod(m, struct wg_msg_cookie *);
wg_fill_msg_cookie(wg, wgp, wgmc, sender, mac1, src);
Home |
Main Index |
Thread Index |
Old Index