git: 04a7134c1e92 - main - if_ovpn: fix use-after-free of mbuf
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 01 Apr 2025 14:25:43 UTC
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=04a7134c1e92c7752ffdc665f99ae26db70866c0 commit 04a7134c1e92c7752ffdc665f99ae26db70866c0 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-04-01 13:19:26 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-04-01 14:15:29 +0000 if_ovpn: fix use-after-free of mbuf m_unshare() can return a new mbuf pointer. We update the 'm' pointer in ovpn_udp_input(), but if we decide to pass on the packet (e.g. because it's for an unknown peer) the caller (udp_append()) continues with the old 'm' pointer, eventually resulting in a use-after-free. Re-order operations in ovpn_udp_input() so that we don't modify the 'm' pointer until we're committed to keeping the packet. PR: 283426 Test case by: takahiro.kurosawa@gmail.com MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/net/if_ovpn.c | 12 +++--- tests/sys/net/if_ovpn/if_ovpn.sh | 81 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+), 6 deletions(-) diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c index cbcfe15dffc7..7bdbc565f4ca 100644 --- a/sys/net/if_ovpn.c +++ b/sys/net/if_ovpn.c @@ -2248,12 +2248,6 @@ ovpn_udp_input(struct mbuf *m, int off, struct inpcb *inp, M_ASSERTPKTHDR(m); - m = m_unshare(m, M_NOWAIT); - if (m == NULL) { - OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1); - return (true); - } - OVPN_COUNTER_ADD(sc, transport_bytes_received, m->m_pkthdr.len - off); ohdrlen = sizeof(*ohdr) - sizeof(ohdr->auth_tag); @@ -2281,6 +2275,12 @@ ovpn_udp_input(struct mbuf *m, int off, struct inpcb *inp, return (false); } + m = m_unshare(m, M_NOWAIT); + if (m == NULL) { + OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1); + return (true); + } + m = m_pullup(m, off + sizeof(*uhdr) + ohdrlen); if (m == NULL) { OVPN_RUNLOCK(sc); diff --git a/tests/sys/net/if_ovpn/if_ovpn.sh b/tests/sys/net/if_ovpn/if_ovpn.sh index ea1eed88de9e..2138e0f666ec 100644 --- a/tests/sys/net/if_ovpn/if_ovpn.sh +++ b/tests/sys/net/if_ovpn/if_ovpn.sh @@ -106,6 +106,86 @@ atf_test_case "4in4" "cleanup" ovpn_cleanup } +atf_test_case "bz283426" "cleanup" +bz283426_head() +{ + atf_set descr 'FreeBSD Bugzilla 283426' + atf_set require.user root + atf_set require.progs openvpn python3 +} + +bz283426_body() +{ + ovpn_init + + l=$(vnet_mkepair) + + vnet_mkjail a ${l}a + jexec a ifconfig ${l}a 192.0.2.1/24 up + vnet_mkjail b ${l}b + jexec b ifconfig ${l}b 192.0.2.2/24 up + + # Sanity check + atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2 + + ovpn_start a " + dev ovpn0 + dev-type tun + proto udp4 + + cipher AES-256-GCM + auth SHA256 + + bind 0.0.0.0:1194 + server 198.51.100.0 255.255.255.0 + ca $(atf_get_srcdir)/ca.crt + cert $(atf_get_srcdir)/server.crt + key $(atf_get_srcdir)/server.key + dh $(atf_get_srcdir)/dh.pem + + mode server + script-security 2 + auth-user-pass-verify /usr/bin/true via-env + topology subnet + + keepalive 100 600 + " + ovpn_start b " + dev tun0 + dev-type tun + + client + + remote 192.0.2.1 + auth-user-pass $(atf_get_srcdir)/user.pass + + ca $(atf_get_srcdir)/ca.crt + cert $(atf_get_srcdir)/client.crt + key $(atf_get_srcdir)/client.key + dh $(atf_get_srcdir)/dh.pem + + keepalive 100 600 + " + + # Give the tunnel time to come up + sleep 10 + + atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1 + + # Send a broadcast packet in the outer link. + echo "import socket as sk +s = sk.socket(sk.AF_INET, sk.SOCK_DGRAM) +s.setsockopt(sk.SOL_SOCKET, sk.SO_BROADCAST, 1) +s.sendto(b'x' * 1000, ('192.0.2.255', 1194))" | jexec b python3 + + atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1 +} + +bz283426_cleanup() +{ + ovpn_cleanup +} + atf_test_case "4mapped" "cleanup" 4mapped_head() { @@ -1072,6 +1152,7 @@ destroy_unused_cleanup() atf_init_test_cases() { atf_add_test_case "4in4" + atf_add_test_case "bz283426" atf_add_test_case "4mapped" atf_add_test_case "6in4" atf_add_test_case "6in6"