kern/60232: kernel panic when adding a wireguard peer with too many allowed IP addresses

["cmeerw%cmeerw.org@localhost via gnats" <gnats-admin%NetBSD.org@localhost>]

>Number:         60232
>Category:       kern
>Synopsis:       kernel panic when adding a wireguard peer with too many allowed IP addresses
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 06 16:55:01 +0000 2026
>Originator:     Christof Meerwald
>Release:        11.0_RC3
>Organization:
>Environment:
NetBSD linveo.cmeerw.net 11.0_RC3 NetBSD 11.0_RC3 (GENERIC) #0: Sat Apr  4 06:08:56 UTC 2026  mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
if_wg.c wg_handle_prop_peer happily adds all the IP addresses provided without checking that it's overflowing a fixed-size buffer (WG_ALLOWEDIPS 16)

>How-To-Repeat:
# wgconfig wg0 add peer test HdnnT5tllAxOKuil8l+KZeLPL8V12r/8UXlhvzeWzRU= --endpoint=127.0.0.1:12345 --allowed-ips=127.0.0.2/32,127.0.0.3/32,127.0.0.4/32,127.0.0.5/32,127.0.0.6/32,127.0.0.7/32,127.0.0.8/32,127.0.0.9/32,127.0.0.10/32,127.0.0.11/32,127.0.0.12/32,127.0.0.13/32,127.0.0.14/32,127.0.0.15/32,127.0.0.16/32,127.0.0.17/32,127.0.0.18/32,127.0.0.19/32,127.0.0.20/32,127.0.0.21/32,127.0.0.22/32,127.0.0.23/32

>Fix:
Check that we are not adding more than WG_ALLOWEDIPS IP addresses.