From nobody Tue Jul 5 17:55:48 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 979351D1CA9D; Tue, 5 Jul 2022 17:55:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Lcr1w37cBz4tQt; Tue, 5 Jul 2022 17:55:48 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1657043748; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=y8IvjazQCZM0iCot1K+zt96y3kdAucqwSXcmUOL/DNY=; b=GA3kATwnDRvoye8QuEqgQnwrbK8EUF3C6qoMnc520RSAgcTetImB8MRIYWv1YwGWpmFv7p SjcXwS1LayCMZA1Nvojc8vF+ef1WhuS5aa11An1tbFMOSxbhnA9eNfKxNroW3b6xQUTSQY pww3j+Z18cBf29FpUHeycXbhd+KEt9Dw2vPiVkaawhETMpcaREfzXC7VgEAGzY19KkFO/b 1BA9VXDfa5BhAwg5b+wZL1Qby5LRz5Y9UpsaIienVeHXqlPeDsZlcEbL3KjVTeRF+xTSYI D9ufaBMuHz4U6g2HTFPgaYOxkXFzGNbHu4Yt4bH24qceqowhacXTWBVZsA7n+g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ACDA2487; Tue, 5 Jul 2022 17:55:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 265Htm2S000920; Tue, 5 Jul 2022 17:55:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 265Htm4W000919; Tue, 5 Jul 2022 17:55:48 GMT (envelope-from git) Date: Tue, 5 Jul 2022 17:55:48 GMT Message-Id: <202207051755.265Htm4W000919@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 6ba6c05cb2d4 - main - if_ovpn: deal with short packets List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 6ba6c05cb2d4dd6510637fecb31e2b66e7495467 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1657043748; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=y8IvjazQCZM0iCot1K+zt96y3kdAucqwSXcmUOL/DNY=; b=Wzny8e2IusOvOwBa6HL17Z2LZgHn1Erlfvze1iSg4edbmcBNtAtpm+c9LEpmYh0s1ZNftg eUsaviHvFCp0/vzZIvTDkt0SDX9sOOGJxuKLPrXM2PPNGGpvrdy5ZRiS0B5fsRe5ibawEy T9DCltyYI39N/PH8DUXjKWlwhQXpAjmcOFl0MbBaDBTwzTMKRifoqu0n9a9KgBvMkXZcXz QYhQtOwJGCKuop0O2FVgkTUTPClgwXpdyY/Zm56Cx97viPfWN2rbX/8fiUI1MUFu/qpICi d9EH45Opfh2NjmvBmf5sFQsIAQEA8b6ir+K+dHBx4wVEp7kfe+oS04+U+6TsSQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1657043748; a=rsa-sha256; cv=none; b=Di6Isu/t6FqV8HyEDUH2oBXGiEsh/h6eiQPecMYt+l2+uY0gk9qmIWDdTDtJKTppCwBKRr CdiiximlPzsxSmVWAXWl+rekZSiBmck3LUgrNMgjf4josZz+fYBfBC5JBCcco5sj5dVahQ m9RgILBxzC4lR/TOiWHeRpZUNmzPZlhYdqtm7fLC7c4CQtzGkMzS023/piIPzqSDzQBFUf jxKQZotrVoBudVfNjVbc1+9zN805wg0/K9BYoNQauAlb/SfUlC2nzyQUCiHG1ARk6M8W9r OM0JnI+iO+zI8yNuyAm21T6oe9qcZlysC50/JPrdEQHQf1Qb1KEvNR+Vg7ehKw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=6ba6c05cb2d4dd6510637fecb31e2b66e7495467 commit 6ba6c05cb2d4dd6510637fecb31e2b66e7495467 Author: Kristof Provost AuthorDate: 2022-07-05 17:27:00 +0000 Commit: Kristof Provost CommitDate: 2022-07-05 17:27:00 +0000 if_ovpn: deal with short packets If we receive a UDP packet (directed towards an active OpenVPN socket) which is too short to contain an OpenVPN header ('struct ovpn_wire_header') we wound up making m_copydata() read outside the mbuf, and panicking the machine. Explicitly check that the packet is long enough to copy the data we're interested in. If it's not we will pass the packet to userspace, just like we'd do for an unknown peer. Extend a test case to provoke this situation. Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/net/if_ovpn.c | 7 +++++-- tests/sys/net/if_ovpn/if_ovpn.sh | 1 + 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c index 9430d1cebe56..779d51075e3d 100644 --- a/sys/net/if_ovpn.c +++ b/sys/net/if_ovpn.c @@ -2080,11 +2080,14 @@ ovpn_peer_from_mbuf(struct ovpn_softc *sc, struct mbuf *m, int off) { struct ovpn_wire_header ohdr; uint32_t peerid; + const size_t hdrlen = sizeof(ohdr) - sizeof(ohdr.auth_tag); OVPN_RASSERT(sc); - m_copydata(m, off + sizeof(struct udphdr), - sizeof(ohdr) - sizeof(ohdr.auth_tag), (caddr_t)&ohdr); + if (m_length(m, NULL) < (off + sizeof(struct udphdr) + hdrlen)) + return (NULL); + + m_copydata(m, off + sizeof(struct udphdr), hdrlen, (caddr_t)&ohdr); peerid = ntohl(ohdr.opcode) & 0x00ffffff; diff --git a/tests/sys/net/if_ovpn/if_ovpn.sh b/tests/sys/net/if_ovpn/if_ovpn.sh index fb32e3ed1895..faf21d5669b1 100644 --- a/tests/sys/net/if_ovpn/if_ovpn.sh +++ b/tests/sys/net/if_ovpn/if_ovpn.sh @@ -91,6 +91,7 @@ atf_test_case "4in4" "cleanup" # Give the tunnel time to come up sleep 10 + echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194 atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 }