git: 04a7134c1e92 - main - if_ovpn: fix use-after-free of mbuf

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Tue, 01 Apr 2025 14:25:43 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=04a7134c1e92c7752ffdc665f99ae26db70866c0

commit 04a7134c1e92c7752ffdc665f99ae26db70866c0
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-04-01 13:19:26 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-04-01 14:15:29 +0000

    if_ovpn: fix use-after-free of mbuf
    
    m_unshare() can return a new mbuf pointer. We update the 'm' pointer in
    ovpn_udp_input(), but if we decide to pass on the packet (e.g. because it's for
    an unknown peer) the caller (udp_append()) continues with the old 'm' pointer,
    eventually resulting in a use-after-free.
    
    Re-order operations in ovpn_udp_input() so that we don't modify the 'm' pointer
    until we're committed to keeping the packet.
    
    PR:             283426
    Test case by:   takahiro.kurosawa@gmail.com
    MFC after:      2 weeks
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/net/if_ovpn.c                | 12 +++---
 tests/sys/net/if_ovpn/if_ovpn.sh | 81 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+), 6 deletions(-)

diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c
index cbcfe15dffc7..7bdbc565f4ca 100644
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@@ -2248,12 +2248,6 @@ ovpn_udp_input(struct mbuf *m, int off, struct inpcb *inp,
 
 	M_ASSERTPKTHDR(m);
 
-	m = m_unshare(m, M_NOWAIT);
-	if (m == NULL) {
-		OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1);
-		return (true);
-	}
-
 	OVPN_COUNTER_ADD(sc, transport_bytes_received, m->m_pkthdr.len - off);
 
 	ohdrlen = sizeof(*ohdr) - sizeof(ohdr->auth_tag);
@@ -2281,6 +2275,12 @@ ovpn_udp_input(struct mbuf *m, int off, struct inpcb *inp,
 		return (false);
 	}
 
+	m = m_unshare(m, M_NOWAIT);
+	if (m == NULL) {
+		OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1);
+		return (true);
+	}
+
 	m = m_pullup(m, off + sizeof(*uhdr) + ohdrlen);
 	if (m == NULL) {
 		OVPN_RUNLOCK(sc);
diff --git a/tests/sys/net/if_ovpn/if_ovpn.sh b/tests/sys/net/if_ovpn/if_ovpn.sh
index ea1eed88de9e..2138e0f666ec 100644
--- a/tests/sys/net/if_ovpn/if_ovpn.sh
+++ b/tests/sys/net/if_ovpn/if_ovpn.sh
@@ -106,6 +106,86 @@ atf_test_case "4in4" "cleanup"
 	ovpn_cleanup
 }
 
+atf_test_case "bz283426" "cleanup"
+bz283426_head()
+{
+	atf_set descr 'FreeBSD Bugzilla 283426'
+	atf_set require.user root
+	atf_set require.progs openvpn python3
+}
+
+bz283426_body()
+{
+	ovpn_init
+
+	l=$(vnet_mkepair)
+
+	vnet_mkjail a ${l}a
+	jexec a ifconfig ${l}a 192.0.2.1/24 up
+	vnet_mkjail b ${l}b
+	jexec b ifconfig ${l}b 192.0.2.2/24 up
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
+
+	ovpn_start a "
+		dev ovpn0
+		dev-type tun
+		proto udp4
+
+		cipher AES-256-GCM
+		auth SHA256
+
+		bind 0.0.0.0:1194
+		server 198.51.100.0 255.255.255.0
+		ca $(atf_get_srcdir)/ca.crt
+		cert $(atf_get_srcdir)/server.crt
+		key $(atf_get_srcdir)/server.key
+		dh $(atf_get_srcdir)/dh.pem
+
+		mode server
+		script-security 2
+		auth-user-pass-verify /usr/bin/true via-env
+		topology subnet
+
+		keepalive 100 600
+	"
+	ovpn_start b "
+		dev tun0
+		dev-type tun
+
+		client
+
+		remote 192.0.2.1
+		auth-user-pass $(atf_get_srcdir)/user.pass
+
+		ca $(atf_get_srcdir)/ca.crt
+		cert $(atf_get_srcdir)/client.crt
+		key $(atf_get_srcdir)/client.key
+		dh $(atf_get_srcdir)/dh.pem
+
+		keepalive 100 600
+	"
+
+	# Give the tunnel time to come up
+	sleep 10
+
+	atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1
+
+	# Send a broadcast packet in the outer link.
+	echo "import socket as sk
+s = sk.socket(sk.AF_INET, sk.SOCK_DGRAM)
+s.setsockopt(sk.SOL_SOCKET, sk.SO_BROADCAST, 1)
+s.sendto(b'x' * 1000, ('192.0.2.255', 1194))" | jexec b python3
+
+	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
+}
+
+bz283426_cleanup()
+{
+	ovpn_cleanup
+}
+
 atf_test_case "4mapped" "cleanup"
 4mapped_head()
 {
@@ -1072,6 +1152,7 @@ destroy_unused_cleanup()
 atf_init_test_cases()
 {
 	atf_add_test_case "4in4"
+	atf_add_test_case "bz283426"
 	atf_add_test_case "4mapped"
 	atf_add_test_case "6in4"
 	atf_add_test_case "6in6"