[src/trunk]: src/sys/net wg(4): Limit the size of ifdrv requests.

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/074a06b8912f
branches:  trunk
changeset: 359682:074a06b8912f
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Sun Jan 16 20:43:20 2022 +0000

description:
wg(4): Limit the size of ifdrv requests.

Avoids potential integer overflow or kernel memory exhaustion.

Reported by Thomas Leroy a while back.

diffstat:

 sys/net/if_wg.c |  9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diffs (37 lines):

diff -r ec3df7c4ce9a -r 074a06b8912f sys/net/if_wg.c
--- a/sys/net/if_wg.c   Sun Jan 16 20:25:36 2022 +0000
+++ b/sys/net/if_wg.c   Sun Jan 16 20:43:20 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: if_wg.c,v 1.67 2021/12/31 14:25:24 riastradh Exp $     */
+/*     $NetBSD: if_wg.c,v 1.68 2022/01/16 20:43:20 riastradh Exp $     */
 
 /*
  * Copyright (C) Ryota Ozaki <ozaki.ryota%gmail.com@localhost>
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.67 2021/12/31 14:25:24 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.68 2022/01/16 20:43:20 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq_enabled.h"
@@ -271,6 +271,9 @@
 #define WG_DUMP_BUF(buf, size) __nothing
 #endif /* WG_DEBUG_DUMP */
 
+/* chosen somewhat arbitrarily -- fits in signed 16 bits NUL-termintaed */
+#define        WG_MAX_PROPLEN          32766
+
 #define WG_MTU                 1420
 #define WG_ALLOWEDIPS          16
 
@@ -4283,6 +4286,8 @@
        char *buf;
 
        WG_DLOG("buf=%p, len=%lu\n", ifd->ifd_data, ifd->ifd_len);
+       if (ifd->ifd_len >= WG_MAX_PROPLEN)
+               return E2BIG;
        buf = kmem_alloc(ifd->ifd_len + 1, KM_SLEEP);
        error = copyin(ifd->ifd_data, buf, ifd->ifd_len);
        if (error != 0)