global: cleanup IP header checking

This way is more correct and ensures we're within the skb head. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2017-06-25 16:24:23 +0200
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2017-06-26 12:35:06 +0200
commit: 3b2b6e7c1eb6a8d24c057e7f032e5cd4fea191fe (patch)
tree: a9fca6dd1a0443e9e4096d9c44867630c36624b9 /src/device.c
parent: 8644e1cddac2df86a67e3a407629d8416f8a3c5e (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/src/device.c b/src/device.c
index 22632e5..c299d19 100644
--- a/src/device.c
+++ b/src/device.c
@@ -119,6 +119,12 @@ static netdev_tx_t xmit(struct sk_buff *skb, struct net_device *dev)
 		goto err;
 	}
 
+	if (unlikely(skb_examine_untrusted_ip_hdr(skb) != skb->protocol)) {
+		ret = -EPROTONOSUPPORT;
+		net_dbg_ratelimited("%s: Invalid IP packet\n", dev->name);
+		goto err;
+	}
+
 	peer = routing_table_lookup_dst(&wg->peer_routing_table, skb);
 	if (unlikely(!peer)) {
 		ret = -ENOKEY;
@@ -130,7 +136,7 @@ static netdev_tx_t xmit(struct sk_buff *skb, struct net_device *dev)
 	ret = peer->endpoint.addr.sa_family != AF_INET && peer->endpoint.addr.sa_family != AF_INET6;
 	read_unlock_bh(&peer->endpoint_lock);
 	if (unlikely(ret)) {
-		ret = -EHOSTUNREACH;
+		ret = -EDESTADDRREQ;
 		net_dbg_ratelimited("%s: No valid endpoint has been configured or discovered for peer %Lu\n", dev->name, peer->internal_id);
 		goto err_peer;
 	}
author	Jason A. Donenfeld <Jason@zx2c4.com>	2017-06-25 16:24:23 +0200
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2017-06-26 12:35:06 +0200
commit	3b2b6e7c1eb6a8d24c057e7f032e5cd4fea191fe (patch)
tree	a9fca6dd1a0443e9e4096d9c44867630c36624b9 /src/device.c
parent	8644e1cddac2df86a67e3a407629d8416f8a3c5e (diff)