receive: protect against impossible conditions

It should never be the case that skb->head + skb->transport_header - skb->data is greater than 2^16, but in case the kernel network stack borks this at some point in the future, we don't want this to slyly introduce a vulnerability into WireGuard. Further, really smart compilers might be able to make deductions about data_offset, and optimize accordingly. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2016-07-03 22:04:51 +0200
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2016-07-03 22:04:51 +0200
commit: 6bb01a673d1b8805580f4f1a5506319da136a279 (patch)
tree: 116aa288a95e4808fae8c5cb25e5f9114929fc1a
parent: 79d5e05cc8116c6fb90da33db0b3b86ebe2e1f22 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/receive.c b/src/receive.c
index 227b276..1b86489 100644
--- a/src/receive.c
+++ b/src/receive.c
@@ -47,6 +47,10 @@ static inline int skb_data_offset(struct sk_buff *skb, size_t *data_offset, size
 
 	udp = udp_hdr(skb);
 	*data_offset = (u8 *)udp - skb->data;
+	if (unlikely(*data_offset > U16_MAX)) {
+		net_dbg_ratelimited("Packet has offset at impossible location from %pISpfsc\n", &addr);
+		return -EINVAL;
+	}
 	if (unlikely(*data_offset + sizeof(struct udphdr) > skb->len)) {
 		net_dbg_ratelimited("Packet isn't big enough to have UDP fields from %pISpfsc\n", &addr);
 		return -EINVAL;
author	Jason A. Donenfeld <Jason@zx2c4.com>	2016-07-03 22:04:51 +0200
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2016-07-03 22:04:51 +0200
commit	6bb01a673d1b8805580f4f1a5506319da136a279 (patch)
tree	116aa288a95e4808fae8c5cb25e5f9114929fc1a
parent	79d5e05cc8116c6fb90da33db0b3b86ebe2e1f22 (diff)