git: 04a7134c1e92 - main - if_ovpn: fix use-after-free of mbuf
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 01 Apr 2025 14:25:43 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=04a7134c1e92c7752ffdc665f99ae26db70866c0
commit 04a7134c1e92c7752ffdc665f99ae26db70866c0
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-04-01 13:19:26 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-04-01 14:15:29 +0000
if_ovpn: fix use-after-free of mbuf
m_unshare() can return a new mbuf pointer. We update the 'm' pointer in
ovpn_udp_input(), but if we decide to pass on the packet (e.g. because it's for
an unknown peer) the caller (udp_append()) continues with the old 'm' pointer,
eventually resulting in a use-after-free.
Re-order operations in ovpn_udp_input() so that we don't modify the 'm' pointer
until we're committed to keeping the packet.
PR: 283426
Test case by: takahiro.kurosawa@gmail.com
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/net/if_ovpn.c | 12 +++---
tests/sys/net/if_ovpn/if_ovpn.sh | 81 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 87 insertions(+), 6 deletions(-)
diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c
index cbcfe15dffc7..7bdbc565f4ca 100644
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@@ -2248,12 +2248,6 @@ ovpn_udp_input(struct mbuf *m, int off, struct inpcb *inp,
M_ASSERTPKTHDR(m);
- m = m_unshare(m, M_NOWAIT);
- if (m == NULL) {
- OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1);
- return (true);
- }
-
OVPN_COUNTER_ADD(sc, transport_bytes_received, m->m_pkthdr.len - off);
ohdrlen = sizeof(*ohdr) - sizeof(ohdr->auth_tag);
@@ -2281,6 +2275,12 @@ ovpn_udp_input(struct mbuf *m, int off, struct inpcb *inp,
return (false);
}
+ m = m_unshare(m, M_NOWAIT);
+ if (m == NULL) {
+ OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1);
+ return (true);
+ }
+
m = m_pullup(m, off + sizeof(*uhdr) + ohdrlen);
if (m == NULL) {
OVPN_RUNLOCK(sc);
diff --git a/tests/sys/net/if_ovpn/if_ovpn.sh b/tests/sys/net/if_ovpn/if_ovpn.sh
index ea1eed88de9e..2138e0f666ec 100644
--- a/tests/sys/net/if_ovpn/if_ovpn.sh
+++ b/tests/sys/net/if_ovpn/if_ovpn.sh
@@ -106,6 +106,86 @@ atf_test_case "4in4" "cleanup"
ovpn_cleanup
}
+atf_test_case "bz283426" "cleanup"
+bz283426_head()
+{
+ atf_set descr 'FreeBSD Bugzilla 283426'
+ atf_set require.user root
+ atf_set require.progs openvpn python3
+}
+
+bz283426_body()
+{
+ ovpn_init
+
+ l=$(vnet_mkepair)
+
+ vnet_mkjail a ${l}a
+ jexec a ifconfig ${l}a 192.0.2.1/24 up
+ vnet_mkjail b ${l}b
+ jexec b ifconfig ${l}b 192.0.2.2/24 up
+
+ # Sanity check
+ atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
+
+ ovpn_start a "
+ dev ovpn0
+ dev-type tun
+ proto udp4
+
+ cipher AES-256-GCM
+ auth SHA256
+
+ bind 0.0.0.0:1194
+ server 198.51.100.0 255.255.255.0
+ ca $(atf_get_srcdir)/ca.crt
+ cert $(atf_get_srcdir)/server.crt
+ key $(atf_get_srcdir)/server.key
+ dh $(atf_get_srcdir)/dh.pem
+
+ mode server
+ script-security 2
+ auth-user-pass-verify /usr/bin/true via-env
+ topology subnet
+
+ keepalive 100 600
+ "
+ ovpn_start b "
+ dev tun0
+ dev-type tun
+
+ client
+
+ remote 192.0.2.1
+ auth-user-pass $(atf_get_srcdir)/user.pass
+
+ ca $(atf_get_srcdir)/ca.crt
+ cert $(atf_get_srcdir)/client.crt
+ key $(atf_get_srcdir)/client.key
+ dh $(atf_get_srcdir)/dh.pem
+
+ keepalive 100 600
+ "
+
+ # Give the tunnel time to come up
+ sleep 10
+
+ atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1
+
+ # Send a broadcast packet in the outer link.
+ echo "import socket as sk
+s = sk.socket(sk.AF_INET, sk.SOCK_DGRAM)
+s.setsockopt(sk.SOL_SOCKET, sk.SO_BROADCAST, 1)
+s.sendto(b'x' * 1000, ('192.0.2.255', 1194))" | jexec b python3
+
+ atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
+}
+
+bz283426_cleanup()
+{
+ ovpn_cleanup
+}
+
atf_test_case "4mapped" "cleanup"
4mapped_head()
{
@@ -1072,6 +1152,7 @@ destroy_unused_cleanup()
atf_init_test_cases()
{
atf_add_test_case "4in4"
+ atf_add_test_case "bz283426"
atf_add_test_case "4mapped"
atf_add_test_case "6in4"
atf_add_test_case "6in6"