Commit 6ba6c05c authored by Kristof Provost's avatar Kristof Provost
Browse files

if_ovpn: deal with short packets

If we receive a UDP packet (directed towards an active OpenVPN socket)
which is too short to contain an OpenVPN header ('struct
ovpn_wire_header') we wound up making m_copydata() read outside the
mbuf, and panicking the machine.

Explicitly check that the packet is long enough to copy the data we're
interested in. If it's not we will pass the packet to userspace, just
like we'd do for an unknown peer.

Extend a test case to provoke this situation.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
parent cbb019b8
......@@ -2080,11 +2080,14 @@ ovpn_peer_from_mbuf(struct ovpn_softc *sc, struct mbuf *m, int off)
{
struct ovpn_wire_header ohdr;
uint32_t peerid;
const size_t hdrlen = sizeof(ohdr) - sizeof(ohdr.auth_tag);
OVPN_RASSERT(sc);
m_copydata(m, off + sizeof(struct udphdr),
sizeof(ohdr) - sizeof(ohdr.auth_tag), (caddr_t)&ohdr);
if (m_length(m, NULL) < (off + sizeof(struct udphdr) + hdrlen))
return (NULL);
m_copydata(m, off + sizeof(struct udphdr), hdrlen, (caddr_t)&ohdr);
peerid = ntohl(ohdr.opcode) & 0x00ffffff;
......
......@@ -91,6 +91,7 @@ atf_test_case "4in4" "cleanup"
# Give the tunnel time to come up
sleep 10
echo 'foo' | jexec b nc -u -w 2 192.0.2.1 1194
atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment