NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

PR/60392 CVS commit: src/sys/rump/net/lib/libwg



The following reply was made to PR bin/60392; it has been noted by GNATS.

From: "Taylor R Campbell" <riastradh%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc: 
Subject: PR/60392 CVS commit: src/sys/rump/net/lib/libwg
Date: Thu, 2 Jul 2026 00:32:00 +0000

 Module Name:	src
 Committed By:	riastradh
 Date:		Thu Jul  2 00:32:00 UTC 2026
 
 Modified Files:
 	src/sys/rump/net/lib/libwg: wg_user.c
 
 Log Message:
 wg-userspace(8): Ignore recvfrom errors.
 
 On IPv6 networks, issuing sendto(2) when we've lost IPv6 connectivity
 may eventually lead to the next recvfrom(2) failing with EHOSTDOWN.
 Example ktrace:
 
   8072  16529 rump_server 1782951176.090085182 CALL  sendto(0xa,0x70fb4fa1b50c,0x60,0,0x70fb4f236b00,0x1c)
   8072  16529 rump_server 1782951176.090085664 MISC  msghdr: [name=0x70fb4f236b00, namelen=28, iov=0xffffc5126bfa8f50, iovlen=1, control=0x0, controllen=0, flags=0]
   8072  16529 rump_server 1782951176.090086919 MISC  mbsoname: [2601:...]
   8072  16529 rump_server 1782951176.090093493 GIO   fd 10 wrote 96 bytes
   8072  16529 rump_server 1782951176.090094033 RET   sendto 96/0x60
 ...
   8072  23248 rump_server 1782951180.090105990 CALL  recvfrom(0xa,0x70fb4efe203c,0x233a,0,0x70fb3f7cff50,0x70fb3f7cff4c)
   8072  23248 rump_server 1782951180.090106339 MISC  msghdr: [name=0x0, namelen=0, iov=0xffffc5126c63ff20, iovlen=1, control=0x0, controllen=0, flags=0]
   8072  23248 rump_server 1782951180.090107309 RET   recvfrom -1 errno 64 Host is down
 
 In this case, wg_user_rcvthread mistakenly ignored the failing result
 and blithely shoved the ssize_t -1 error indicator into
 iov[1].iov_len and passed it on to rumpkern_recv_peer:
 
 			nn = recvfrom(wgu->wgu_sock6, wgu->wgu_rcvbuf,
 			    sizeof(wgu->wgu_rcvbuf), 0, (struct sockaddr *)&sin6,
 			    &len);
 			if (nn == -1 && errno == EAGAIN)
 				continue;
 ...
 			iov[1].iov_base = wgu->wgu_rcvbuf;
 			iov[1].iov_len = nn;
 ...
 			rumpkern_wg_recv_peer(wgu->wgu_sc, iov, 2);
 
 rumpkern_wg_recv_peer then passed it through to m_copyback to fill a
 newly allocated mbuf:
 
 	m = m_gethdr(M_DONTWAIT, MT_DATA);
 	if (m == NULL)
 		return;
 	m->m_len = m->m_pkthdr.len = 0;
 	m_copyback(m, 0, iov[1].iov_len, iov[1].iov_base);
 
 And m_copyback takes int, not size_t.  So the all-bits-set turned
 into -1, which coincides with M_COPYALL, which means that we treat
 this case as a zero-length mbuf, which was the actual source of the
 phantom zero-length packets I initially thought were the cause of:
 
 PR bin/60392: assertion "mbuflen >= sizeof(struct wg_msg)" failed
 
 So several wrongs here made a right, turning several mistakes that
 could have been buffer overruns into a harmless crash.
 
 In any case, we don't really care that IPv6 is unreachable.  We'll
 just keep trying sendto until connectivity is restored, and then
 wg(4) packets can flow again.  So just ignore the recvfrom error.
 
 
 To generate a diff of this commit:
 cvs rdiff -u -r1.3 -r1.4 src/sys/rump/net/lib/libwg/wg_user.c
 
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.
 



Home | Main Index | Thread Index | Old Index