Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/net Prevent memory corruption from wg_send_handshake_msg...



details:   https://anonhg.NetBSD.org/src/rev/1651de1ca3b2
branches:  trunk
changeset: 364442:1651de1ca3b2
user:      hannken <hannken%NetBSD.org@localhost>
date:      Fri Mar 25 08:57:50 2022 +0000

description:
Prevent memory corruption from wg_send_handshake_msg_init() on
LP64 machines with "MSIZE == 256", sparc64 for example.

wg_send_handshake_msg_init() tries to put 148 bytes into a buffer
of 144 bytes and overwrites 4 bytes following the mbuf.  Check
for "sizeof() > MHLEN" and use a cluster in this case.

With help from Taylor R Campbell <riastradh@>

diffstat:

 sys/net/if_wg.c |  16 ++++++++++++++--
 1 files changed, 14 insertions(+), 2 deletions(-)

diffs (51 lines):

diff -r c26689b257ce -r 1651de1ca3b2 sys/net/if_wg.c
--- a/sys/net/if_wg.c   Fri Mar 25 08:57:15 2022 +0000
+++ b/sys/net/if_wg.c   Fri Mar 25 08:57:50 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: if_wg.c,v 1.68 2022/01/16 20:43:20 riastradh Exp $     */
+/*     $NetBSD: if_wg.c,v 1.69 2022/03/25 08:57:50 hannken Exp $       */
 
 /*
  * Copyright (C) Ryota Ozaki <ozaki.ryota%gmail.com@localhost>
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.68 2022/01/16 20:43:20 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.69 2022/03/25 08:57:50 hannken Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq_enabled.h"
@@ -1707,6 +1707,10 @@
        wgs->wgs_state = WGS_STATE_INIT_ACTIVE;
 
        m = m_gethdr(M_WAIT, MT_DATA);
+       if (sizeof(*wgmi) > MHLEN) {
+               m_clget(m, M_WAIT);
+               CTASSERT(sizeof(*wgmi) <= MCLBYTES);
+       }
        m->m_pkthdr.len = m->m_len = sizeof(*wgmi);
        wgmi = mtod(m, struct wg_msg_init *);
        wg_fill_msg_init(wg, wgp, wgs, wgmi);
@@ -2056,6 +2060,10 @@
        KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE);
 
        m = m_gethdr(M_WAIT, MT_DATA);
+       if (sizeof(*wgmr) > MHLEN) {
+               m_clget(m, M_WAIT);
+               CTASSERT(sizeof(*wgmr) <= MCLBYTES);
+       }
        m->m_pkthdr.len = m->m_len = sizeof(*wgmr);
        wgmr = mtod(m, struct wg_msg_resp *);
        wg_fill_msg_resp(wg, wgp, wgs, wgmr, wgmi);
@@ -2154,6 +2162,10 @@
        KASSERT(mutex_owned(wgp->wgp_lock));
 
        m = m_gethdr(M_WAIT, MT_DATA);
+       if (sizeof(*wgmc) > MHLEN) {
+               m_clget(m, M_WAIT);
+               CTASSERT(sizeof(*wgmc) <= MCLBYTES);
+       }
        m->m_pkthdr.len = m->m_len = sizeof(*wgmc);
        wgmc = mtod(m, struct wg_msg_cookie *);
        wg_fill_msg_cookie(wg, wgp, wgmc, sender, mac1, src);



Home | Main Index | Thread Index | Old Index