NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

bin/60392: assertion "mbuflen >= sizeof(struct wg_msg)" failed



>Number:         60392
>Category:       bin
>Synopsis:       assertion "mbuflen >= sizeof(struct wg_msg)" failed
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jul 01 23:15:00 +0000 2026
>Originator:     Taylor R Campbell
>Release:        current, 11, 10
>Organization:
The ZeroBSD Foundatagram, Inc.
>Environment:
>Description:

	The kernel wg(4) implementation drops any incoming UDP packets
	of size smaller than sizeof(struct wg_msg) (4 bytes), but the
	userland librumpnet_wg.so is missing this check.

	Fortunately, the userland librumpnet_wg.so is always built with
	DIAGNOSTIC enabled, and we have an assertion about the size
	before we read past the end of the buffer, so there is no harm
	here beyond wg-userspace crashing.

>How-To-Repeat:

	1. start wg-userspace
	2. send a zero-, one-, two-, or three-byte UDP packet to it
	3. ???
	4. profit

>Fix:

	reject <4-byte packets in rumpkern_wg_recv_peer




Home | Main Index | Thread Index | Old Index