aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/src/packets.h
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2017-06-25 16:24:23 +0200
committerJason A. Donenfeld <Jason@zx2c4.com>2017-06-26 12:35:06 +0200
commit2f12227690cf9a979a9a148109c96ab4f6ee6c0e (patch)
tree40c09b45766dd5f67f50d5986a6e75b90a7d3ede /src/packets.h
parentdevice: remove icmp conntrack hacks (diff)
downloadwireguard-monolithic-historical-2f12227690cf9a979a9a148109c96ab4f6ee6c0e.tar.xz
wireguard-monolithic-historical-2f12227690cf9a979a9a148109c96ab4f6ee6c0e.zip
global: cleanup IP header checking
This way is more correct and ensures we're within the skb head.
Diffstat (limited to '')
-rw-r--r--src/packets.h14
1 files changed, 13 insertions, 1 deletions
diff --git a/src/packets.h b/src/packets.h
index 0e909d3..c956c7a 100644
--- a/src/packets.h
+++ b/src/packets.h
@@ -9,6 +9,9 @@
#include <linux/types.h>
#include <linux/padata.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
struct wireguard_device;
struct wireguard_peer;
@@ -34,11 +37,20 @@ void packet_send_handshake_response(struct wireguard_peer *peer);
void packet_send_handshake_cookie(struct wireguard_device *wg, struct sk_buff *initiating_skb, __le32 sender_index);
void packet_create_data_done(struct sk_buff_head *queue, struct wireguard_peer *peer);
-
/* data.c */
int packet_create_data(struct sk_buff_head *queue, struct wireguard_peer *peer);
void packet_consume_data(struct sk_buff *skb, struct wireguard_device *wg);
+/* Returns either the correct skb->protocol value, or 0 if invalid. */
+static inline __be16 skb_examine_untrusted_ip_hdr(struct sk_buff *skb)
+{
+ if (skb_network_header(skb) >= skb->head && (skb_network_header(skb) + sizeof(struct iphdr)) <= skb_tail_pointer(skb) && ip_hdr(skb)->version == 4)
+ return htons(ETH_P_IP);
+ if (skb_network_header(skb) >= skb->head && (skb_network_header(skb) + sizeof(struct ipv6hdr)) <= skb_tail_pointer(skb) && ipv6_hdr(skb)->version == 6)
+ return htons(ETH_P_IPV6);
+ return 0;
+}
+
#ifdef CONFIG_WIREGUARD_PARALLEL
int packet_init_data_caches(void);
void packet_deinit_data_caches(void);