diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2017-06-25 16:24:23 +0200 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-06-26 12:35:06 +0200 |
| commit | 2f12227690cf9a979a9a148109c96ab4f6ee6c0e (patch) | |
| tree | 40c09b45766dd5f67f50d5986a6e75b90a7d3ede /src/device.c | |
| parent | device: remove icmp conntrack hacks (diff) | |
| download | wireguard-monolithic-historical-2f12227690cf9a979a9a148109c96ab4f6ee6c0e.tar.xz wireguard-monolithic-historical-2f12227690cf9a979a9a148109c96ab4f6ee6c0e.zip | |
global: cleanup IP header checking
This way is more correct and ensures we're within the skb head.
Diffstat (limited to 'src/device.c')
| -rw-r--r-- | src/device.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/device.c b/src/device.c index 22632e5..c299d19 100644 --- a/src/device.c +++ b/src/device.c @@ -119,6 +119,12 @@ static netdev_tx_t xmit(struct sk_buff *skb, struct net_device *dev) goto err; } + if (unlikely(skb_examine_untrusted_ip_hdr(skb) != skb->protocol)) { + ret = -EPROTONOSUPPORT; + net_dbg_ratelimited("%s: Invalid IP packet\n", dev->name); + goto err; + } + peer = routing_table_lookup_dst(&wg->peer_routing_table, skb); if (unlikely(!peer)) { ret = -ENOKEY; @@ -130,7 +136,7 @@ static netdev_tx_t xmit(struct sk_buff *skb, struct net_device *dev) ret = peer->endpoint.addr.sa_family != AF_INET && peer->endpoint.addr.sa_family != AF_INET6; read_unlock_bh(&peer->endpoint_lock); if (unlikely(ret)) { - ret = -EHOSTUNREACH; + ret = -EDESTADDRREQ; net_dbg_ratelimited("%s: No valid endpoint has been configured or discovered for peer %Lu\n", dev->name, peer->internal_id); goto err_peer; } |