git: 1463d5ff1316 - stable/14 - if_ovpn: fix use-after-free of mbuf
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 15 Apr 2025 12:26:35 UTC
The branch stable/14 has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=1463d5ff13164362f0825c4613dcb4eb42a7396c
commit 1463d5ff13164362f0825c4613dcb4eb42a7396c
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-04-01 13:19:26 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-04-15 07:27:09 +0000
if_ovpn: fix use-after-free of mbuf
m_unshare() can return a new mbuf pointer. We update the 'm' pointer in
ovpn_udp_input(), but if we decide to pass on the packet (e.g. because it's for
an unknown peer) the caller (udp_append()) continues with the old 'm' pointer,
eventually resulting in a use-after-free.
Re-order operations in ovpn_udp_input() so that we don't modify the 'm' pointer
until we're committed to keeping the packet.
PR: 283426
Test case by: takahiro.kurosawa@gmail.com
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 04a7134c1e92c7752ffdc665f99ae26db70866c0)
---
sys/net/if_ovpn.c | 12 +++---
tests/sys/net/if_ovpn/if_ovpn.sh | 81 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 87 insertions(+), 6 deletions(-)
diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c
index 6309d1f365cf..879cc0636db7 100644
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@@ -2255,12 +2255,6 @@ ovpn_udp_input(struct mbuf *m, int off, struct inpcb *inp,
M_ASSERTPKTHDR(m);
- m = m_unshare(m, M_NOWAIT);
- if (m == NULL) {
- OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1);
- return (true);
- }
-
OVPN_COUNTER_ADD(sc, transport_bytes_received, m->m_pkthdr.len - off);
ohdrlen = sizeof(*ohdr) - sizeof(ohdr->auth_tag);
@@ -2288,6 +2282,12 @@ ovpn_udp_input(struct mbuf *m, int off, struct inpcb *inp,
return (false);
}
+ m = m_unshare(m, M_NOWAIT);
+ if (m == NULL) {
+ OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1);
+ return (true);
+ }
+
m = m_pullup(m, off + sizeof(*uhdr) + ohdrlen);
if (m == NULL) {
OVPN_RUNLOCK(sc);
diff --git a/tests/sys/net/if_ovpn/if_ovpn.sh b/tests/sys/net/if_ovpn/if_ovpn.sh
index 3623f57115ac..b0967c992b5d 100644
--- a/tests/sys/net/if_ovpn/if_ovpn.sh
+++ b/tests/sys/net/if_ovpn/if_ovpn.sh
@@ -106,6 +106,86 @@ atf_test_case "4in4" "cleanup"
ovpn_cleanup
}
+atf_test_case "bz283426" "cleanup"
+bz283426_head()
+{
+ atf_set descr 'FreeBSD Bugzilla 283426'
+ atf_set require.user root
+ atf_set require.progs openvpn python3
+}
+
+bz283426_body()
+{
+ ovpn_init
+
+ l=$(vnet_mkepair)
+
+ vnet_mkjail a ${l}a
+ jexec a ifconfig ${l}a 192.0.2.1/24 up
+ vnet_mkjail b ${l}b
+ jexec b ifconfig ${l}b 192.0.2.2/24 up
+
+ # Sanity check
+ atf_check -s exit:0 -o ignore jexec a ping -c 1 192.0.2.2
+
+ ovpn_start a "
+ dev ovpn0
+ dev-type tun
+ proto udp4
+
+ cipher AES-256-GCM
+ auth SHA256
+
+ bind 0.0.0.0:1194
+ server 198.51.100.0 255.255.255.0
+ ca $(atf_get_srcdir)/ca.crt
+ cert $(atf_get_srcdir)/server.crt
+ key $(atf_get_srcdir)/server.key
+ dh $(atf_get_srcdir)/dh.pem
+
+ mode server
+ script-security 2
+ auth-user-pass-verify /usr/bin/true via-env
+ topology subnet
+
+ keepalive 100 600
+ "
+ ovpn_start b "
+ dev tun0
+ dev-type tun
+
+ client
+
+ remote 192.0.2.1
+ auth-user-pass $(atf_get_srcdir)/user.pass
+
+ ca $(atf_get_srcdir)/ca.crt
+ cert $(atf_get_srcdir)/client.crt
+ key $(atf_get_srcdir)/client.key
+ dh $(atf_get_srcdir)/dh.pem
+
+ keepalive 100 600
+ "
+
+ # Give the tunnel time to come up
+ sleep 10
+
+ atf_check -s exit:0 -o ignore jexec b ping -c 1 198.51.100.1
+
+ # Send a broadcast packet in the outer link.
+ echo "import socket as sk
+s = sk.socket(sk.AF_INET, sk.SOCK_DGRAM)
+s.setsockopt(sk.SOL_SOCKET, sk.SO_BROADCAST, 1)
+s.sendto(b'x' * 1000, ('192.0.2.255', 1194))" | jexec b python3
+
+ atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
+}
+
+bz283426_cleanup()
+{
+ ovpn_cleanup
+}
+
atf_test_case "4mapped" "cleanup"
4mapped_head()
{
@@ -1033,6 +1113,7 @@ gcm_128_cleanup()
atf_init_test_cases()
{
atf_add_test_case "4in4"
+ atf_add_test_case "bz283426"
atf_add_test_case "4mapped"
atf_add_test_case "6in4"
atf_add_test_case "6in6"