diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-06-25 16:24:23 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-06-26 12:35:06 +0200 |
commit | 2f12227690cf9a979a9a148109c96ab4f6ee6c0e (patch) | |
tree | 40c09b45766dd5f67f50d5986a6e75b90a7d3ede /src/packets.h | |
parent | device: remove icmp conntrack hacks (diff) | |
download | wireguard-monolithic-historical-2f12227690cf9a979a9a148109c96ab4f6ee6c0e.tar.xz wireguard-monolithic-historical-2f12227690cf9a979a9a148109c96ab4f6ee6c0e.zip |
global: cleanup IP header checking
This way is more correct and ensures we're within the skb head.
Diffstat (limited to 'src/packets.h')
-rw-r--r-- | src/packets.h | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/src/packets.h b/src/packets.h index 0e909d3..c956c7a 100644 --- a/src/packets.h +++ b/src/packets.h @@ -9,6 +9,9 @@ #include <linux/types.h> #include <linux/padata.h> +#include <linux/skbuff.h> +#include <linux/ip.h> +#include <linux/ipv6.h> struct wireguard_device; struct wireguard_peer; @@ -34,11 +37,20 @@ void packet_send_handshake_response(struct wireguard_peer *peer); void packet_send_handshake_cookie(struct wireguard_device *wg, struct sk_buff *initiating_skb, __le32 sender_index); void packet_create_data_done(struct sk_buff_head *queue, struct wireguard_peer *peer); - /* data.c */ int packet_create_data(struct sk_buff_head *queue, struct wireguard_peer *peer); void packet_consume_data(struct sk_buff *skb, struct wireguard_device *wg); +/* Returns either the correct skb->protocol value, or 0 if invalid. */ +static inline __be16 skb_examine_untrusted_ip_hdr(struct sk_buff *skb) +{ + if (skb_network_header(skb) >= skb->head && (skb_network_header(skb) + sizeof(struct iphdr)) <= skb_tail_pointer(skb) && ip_hdr(skb)->version == 4) + return htons(ETH_P_IP); + if (skb_network_header(skb) >= skb->head && (skb_network_header(skb) + sizeof(struct ipv6hdr)) <= skb_tail_pointer(skb) && ipv6_hdr(skb)->version == 6) + return htons(ETH_P_IPV6); + return 0; +} + #ifdef CONFIG_WIREGUARD_PARALLEL int packet_init_data_caches(void); void packet_deinit_data_caches(void); |