aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* global: add new go 1.17 build commentsHEADmasterJason A. Donenfeld2021-09-0513-2/+15
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* memmod: register exception handler tablesJason A. Donenfeld2021-08-052-0/+19
| | | | | | | | Otherwise recent WDK binaries fail on ARM64, where an exception handler is used for trapping an illegal instruction when ARMv8.1 atomics are being tested for functionality. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* memmod: fix protected delayed load the right wayJason A. Donenfeld2021-07-292-9/+13
| | | | | | | | | | | The reason this was failing before is that dloadsup.h's DloadObtainSection was doing a linear search of sections to find which header corresponds with the IMAGE_DELAYLOAD_DESCRIPTOR section, and we were stupidly overwriting the VirtualSize field, so the linear search wound up matching the .text section, which then it found to not be marked writable and failed with FAST_FAIL_DLOAD_PROTECTION_FAILURE. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* memmod: disable protected delayed load for nowJason A. Donenfeld2021-07-294-2/+155
| | | | | | | Probably a bad idea, but we don't currently support it, and those huge windows.NewCallback trampolines make juicer targets anyway. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* ipc: allow admins but require high integrity labelJason A. Donenfeld2021-06-241-2/+1
| | | | | | Might be more reasonable. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: zero out allowedip node pointers when removingJason A. Donenfeld2021-06-042-1/+22
| | | | | | This should make it a bit easier for the garbage collector. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: limit allowedip fuzzer a to 4 times throughJason A. Donenfeld2021-06-031-5/+10
| | | | | | | Trying this for every peer winds up being very slow and precludes it from acceptable runtime in the CI, so reduce this to 4. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: simplify allowedips lookup signatureJason A. Donenfeld2021-06-035-17/+18
| | | | | | The inliner should handle this for us. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: remove nodes by peer in O(1) instead of O(n)Jason A. Donenfeld2021-06-032-72/+82
| | | | | | | | Now that we have parent pointers hooked up, we can simply go right to the node and remove it in place, rather than having to recursively walk the entire trie. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: remove recursion from insertion and connect parent pointersJason A. Donenfeld2021-06-033-59/+95
| | | | | | | | This makes the insertion algorithm a bit more efficient, while also now taking on the additional task of connecting up parent pointers. This will be handy in the following commit. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: reduce size of trie structJason A. Donenfeld2021-06-035-53/+45
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* go.mod: bump golang.org/x/sys againJosh Bleecher Snyder2021-05-252-1/+7
| | | | | | To pick up https://go-review.googlesource.com/c/sys/+/307129. Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com>
* device: allow reducing queue constants on iOSJason A. Donenfeld2021-05-223-11/+12
| | | | | | | | | | | Heavier network extensions might require the wireguard-go component to use less ram, so let users of this reduce these as needed. At some point we'll put this behind a configuration method of sorts, but for now, just expose the consts as vars. Requested-by: Josh Bleecher Snyder <josh@tailscale.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun: linux: account for interface removal from outsideJason A. Donenfeld2021-05-202-26/+33
| | | | | | | | On Linux we can run `ip link del wg0`, in which case the fd becomes stale, and we should exit. Since this is an intentional action, don't treat it as an error. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* conn: linux: protect read fdsJason A. Donenfeld2021-05-201-12/+18
| | | | | | | | | The -1 protection was removed and the wrong error was returned, causing us to read from a bogus fd. As well, remove the useless closures that aren't doing anything, since this is all synchronized anyway. Fixes: 10533c3 ("all: make conn.Bind.Open return a slice of receive functions") Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* rwcancel: use ordinary os.ErrClosed instead of custom errorJason A. Donenfeld2021-05-201-2/+2
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* rwcancel: use poll instead of selectJason A. Donenfeld2021-05-204-73/+12
| | | | | Suggested-by: Lennart Poettering <lennart@poettering.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: optimize Peer.String even moreJason A. Donenfeld2021-05-181-14/+16
| | | | | | This reduces the allocation, branches, and amount of base64 encoding. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: optimize Peer.StringJosh Bleecher Snyder2021-05-141-7/+20
| | | | Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
* conn: windows: set count=0 on retryJason A. Donenfeld2021-05-111-0/+1
| | | | | | | | When retrying, if count is not 0, we forget to dequeue another request, and so the ring fills up and errors out. Reported-by: Sascha Dierberg <dierberg@dresearch-fe.de> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* main: replace crlf on windows in fmt testJason A. Donenfeld2021-05-101-0/+4
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* main: check that code is formatted in unit testJason A. Donenfeld2021-05-102-1/+48
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun: formatJason A. Donenfeld2021-05-072-3/+3
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: add ID to repeated routinesJason A. Donenfeld2021-05-073-13/+13
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: remove unusual ... in messagesJason A. Donenfeld2021-05-071-2/+2
| | | | | | We dont use ... in any other present progressive messages except these. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: avoid verbose log line during ordinary shutdown sequenceJason A. Donenfeld2021-05-071-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun: windows: set event before waitingJason A. Donenfeld2021-05-071-18/+18
| | | | | | | | | | | In 097af6e ("tun: windows: protect reads from closing") we made sure no functions are running when End() is called, to avoid a UaF. But we still need to kick that event somehow, so that Read() is allowed to exit, in order to release the lock. So this commit calls SetEvent, while moving the closing boolean to be atomic so it can be modified without locks, and then moves to a WaitGroup for the RCU-like pattern. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun: windows: rearrange struct to avoid alignment trap on 32bitJason A. Donenfeld2021-05-071-4/+4
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun: windows: check alignment in unit testJason A. Donenfeld2021-05-071-0/+67
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: log all errors received by RoutineReceiveIncomingJosh Bleecher Snyder2021-05-061-1/+1
| | | | | | | | | | | When debugging, it's useful to know why a receive func exited. We were already logging that, but only in the "death spiral" case. Move the logging up, to capture it always. Reduce the verbosity, since it is not an error case any more. Put the receive func name in the log line. Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com>
* tun/netstack: update go mod and remove GSO argumentJason A. Donenfeld2021-05-063-16/+18
| | | | | Reported-by: John Xiong <xiaoyang1258@yeah.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun: windows: send MTU update when forced MTU changesJason A. Donenfeld2021-05-051-0/+4
| | | | | | Otherwise the padding doesn't get updated. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun: windows: protect reads from closingJason A. Donenfeld2021-04-261-6/+19
| | | | | | | | | | | | The code previously used the old errors channel for checking, rather than the simpler boolean, which caused issues on shutdown, since the errors channel was meaningless. However, looking at this exposed a more basic problem: Close() and all the other functions that check the closed boolean can race. So protect with a basic RW lock, to ensure that Close() waits for all pending operations to complete. Reported-by: Joshua Sjoding <joshua.sjoding@scjalliance.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* conn: windows: do not error out when receiving UDP jumbogramJason A. Donenfeld2021-04-261-2/+14
| | | | | | | | | | | | If we receive a large UDP packet, don't return an error to receive.go, which then terminates the receive loop. Instead, simply retry. Considering Winsock's general finickiness, we might consider other places where an attacker on the wire can generate error conditions like this. Reported-by: Sascha Dierberg <sascha.dierberg@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* version: bump snapshot0.0.20210424Jason A. Donenfeld2021-04-241-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun: freebsd: avoid OOB writesJason A. Donenfeld2021-04-191-0/+7
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun: freebsd: become controlling process when reopening tun FDJason A. Donenfeld2021-04-191-0/+10
| | | | | | | When we pass the TUN FD to the child, we have to call TUNSIFPID; otherwise when we close the device, we get a splat in dmesg. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun: freebsd: restructure and cleanupJason A. Donenfeld2021-04-191-166/+66
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun: freebsd: remove horrific hack for getting tunnel nameJason A. Donenfeld2021-04-191-84/+13
| | | | | | As of FreeBSD 12.1, there's TUNGIFNAME. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun: freebsd: set IFF_MULTICAST for routing daemonsJason A. Donenfeld2021-04-181-4/+4
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* main: print kernel warning on OpenBSD and FreeBSD tooJason A. Donenfeld2021-04-151-13/+16
| | | | | | More kernels! Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: don't defer unlocking from loopJason A. Donenfeld2021-04-121-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* conn: reconstruct v4 vs v6 receive function based on symtabJason A. Donenfeld2021-04-124-15/+69
| | | | | | This is kind of gross but it's better than the alternatives. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: allocate new buffer in receive death spiralKristupas Antanavičius2021-04-121-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | Note: this bug is "hidden" by avoiding "death spiral" code path by 6228659 ("device: handle broader range of errors in RoutineReceiveIncoming"). If the code reached "death spiral" mechanism, there would be multiple double frees happening. This results in a deadlock on iOS, because the pools are fixed size and goroutine might stop until somebody makes space in the pool. This was almost 100% repro on the new ARM Macbooks: - Build with 'ios' tag for Mac. This will enable bounded pools. - Somehow call device.IpcSet at least couple of times (update config) - device.BindUpdate() would be triggered - RoutineReceiveIncoming would enter "death spiral". - RoutineReceiveIncoming would stall on double free (pool is already full) - The stuck routine would deadlock 'device.closeBindLocked()' function on line 'netc.stopping.Wait()' Signed-off-by: Kristupas Antanavičius <kristupas.antanavicius@nordsec.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* conn: windows: reset ring to starting position after freeJason A. Donenfeld2021-04-091-0/+3
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* conn: windows: compare head and tail properlyJason A. Donenfeld2021-04-091-1/+1
| | | | | | | | By not comparing these with the modulo, the ring became nearly never full, resulting in completion queue buffers filling up prematurely. Reported-by: Joshua Sjoding <joshua.sjoding@scjalliance.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* winrio: test that IOCP-based RIO is supportedJason A. Donenfeld2021-04-091-1/+9
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* all: make conn.Bind.Open return a slice of receive functionsJosh Bleecher Snyder2021-04-027-142/+138
| | | | | | | | | | | | | | | | | Instead of hard-coding exactly two sources from which to receive packets (an IPv4 source and an IPv6 source), allow the conn.Bind to specify a set of sources. Beneficial consequences: * If there's no IPv6 support on a system, conn.Bind.Open can choose not to return a receive function for it, which is simpler than tracking that state in the bind. This simplification removes existing data races from both conn.StdNetBind and bindtest.ChannelBind. * If there are more than two sources on a system, the conn.Bind no longer needs to add a separate muxing layer. Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com>
* conn: winrio: pass key parameter into structJason A. Donenfeld2021-04-021-0/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: handle broader range of errors in RoutineReceiveIncomingJosh Bleecher Snyder2021-03-301-0/+3
| | | | | | | | | | | | | RoutineReceiveIncoming exits immediately on net.ErrClosed, but not on other errors. However, for errors that are known to be permanent, such as syscall.EAFNOSUPPORT, we may as well exit immediately instead of retrying. This considerably speeds up the package device tests right now, because the Bind sometimes (incorrectly) returns syscall.EAFNOSUPPORT instead of net.ErrClosed. Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com>